none
How do I edit new DC "Allow Log on Locally" policy setting without having to add all existing groups via gpmc.msc?

    Question

  • Hi,

    I am currently self-studying for the 70-640, and have not sat MS exams before, although I have basic experience.  One of the practise tests in an early chapter asks me to log on to my newly created DC with a standard user account, and I get the message "You cannot log on because the logon method you are using is not allowed on this computer".  Little bit of googling, and I stumbled across http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/0f750de8-d56e-4951-a2b1-839e55934745/, which advises looking at the group policy settings for "Allow Log On Locally" and "Deny Log On Locally".

    I found with the above that standard users are not listed in "Allow Log On Locally", but I cannot edit via gpedit.msc as the 'Add User or Group' button under this setting is greyed out (I am currently logged in as domain admin).  Numerous searches have pointed me in the direction of gpmc.msc, many similar to the post on May 02, 2009 12:07AM @ http://social.technet.microsoft.com/Forums/en-US/winservermanager/thread/059465f4-a35b-4172-820c-f0c1e0a44d08/.  When I follow this through for my domain, however, I browse all the way through to "Allow Log On Locally" and it is set as 'not defined'.  If I double-click and select 'Define these policy settings' it looks like I have to add all the required groups from scratch.

    Is this meant to be by design?  Essentially, "Allow Log On Locally" is currently set to Account Operators, Administrators, Backup Operators, Print Operators, Server Operators - and all I want to do is add Domain Users to this list, without having to manually add what is already there.

    Any comment on this is greatly appreciated :-)

    Server is vanilla build win2k8 R2 Standard, all updates installed as of 03/01/12, and .net framework 4.0 installed.

    cheers,

     

    Tuesday, January 24, 2012 6:21 PM

Answers

  • Hi Tony,

    Thats fantastic cheers!  I can confirm that this is now working as required.  I have reviewed, and it appears that this is an issue if you try to work through the practise tests in the training kit.  I will check for any errata, and if not covered I will let the relevant bods know.

    Your swift response was appreciated!

    If anybody else runs into this issue, below is a summary of what I have configured:

    After logging on locally with domain admin account:

    (1) run gpmc.msc (Group Policy Management)

    (2) Expand your Domain

    (3) Expand <Group Policy Objects> and right-click <default domain controllers policy>.  Click Edit.

    (4) Expand: <Computer Configurations> <Policies> <Windows Settings> <Security Settings> <Local Policies> <User Rights Assignment>

    (5) Right click <Allow log on locally> and click Properties.  Amend as required.

    (6) Run gpupdate and wait for confirmation: "user policy update has completed succesfully" (default gpudate without switches should only apply the changes)

    (7) Log out and log back in as domain user

    (8) tada

     

    Wednesday, January 25, 2012 2:20 PM

  • Hi dmease,

    Try going through the same steps, but make the modifications to the  Default Domain Controllers Policy, linked to the Domain Controllers OU (rather than the Default Domain Policy).  That is where those settings are defined for your DC.

    Hope that helps.

    Tuesday, January 24, 2012 7:50 PM

All replies


  • Hi dmease,

    Try going through the same steps, but make the modifications to the  Default Domain Controllers Policy, linked to the Domain Controllers OU (rather than the Default Domain Policy).  That is where those settings are defined for your DC.

    Hope that helps.

    Tuesday, January 24, 2012 7:50 PM
  • Hi Tony,

    Thats fantastic cheers!  I can confirm that this is now working as required.  I have reviewed, and it appears that this is an issue if you try to work through the practise tests in the training kit.  I will check for any errata, and if not covered I will let the relevant bods know.

    Your swift response was appreciated!

    If anybody else runs into this issue, below is a summary of what I have configured:

    After logging on locally with domain admin account:

    (1) run gpmc.msc (Group Policy Management)

    (2) Expand your Domain

    (3) Expand <Group Policy Objects> and right-click <default domain controllers policy>.  Click Edit.

    (4) Expand: <Computer Configurations> <Policies> <Windows Settings> <Security Settings> <Local Policies> <User Rights Assignment>

    (5) Right click <Allow log on locally> and click Properties.  Amend as required.

    (6) Run gpupdate and wait for confirmation: "user policy update has completed succesfully" (default gpudate without switches should only apply the changes)

    (7) Log out and log back in as domain user

    (8) tada

     

    Wednesday, January 25, 2012 2:20 PM
  • Excellent breakdown of a simple fix that can easily elude you if you aren't thinking of permissions.

    Thanks!
    Jon

    Tuesday, January 22, 2013 4:18 PM
  • i am trying also having this as OP and i tried to follow dmease guidance but in step 3 the edit button is greyed out .. 

    Tuesday, February 19, 2013 6:06 PM
  • That sounds like permissions still.  Can you edit any of the GPO's?  If not then you need to ensure that the account your using has rights to manage and edit GPO's for you domain.  If you can edit other GPO's, just not the Default DC Policy, then check the ACL's on the GPO itself.  In GPMC (Group Policy Management Console) click on the GPO in the tree on the left; on the right side go to the Delegation tab.  Make sure that your account has Edit permissions listed, either by group membership or explicitly.  And make sure your not assigned a Deny permission, either by group membership or explicitly. 
    Saturday, May 18, 2013 4:41 PM
  • Thank-you. Just learning my way around the domain controller. Just needed a procedure.

    Stephan Onisick

    Tuesday, July 02, 2013 1:11 PM
  • I'm studying myself for the 70-640 too.

    I couldn't log with user credential with the practice of the book.

    But i found a solution in the same book but in french language !

    If you had the group Domain User (or the objects you want to have grant to log on locally on the DC) in the group "Print Operators" you can actually log on and display MMC console.

    It worked for me !

    Cheers


    • Edited by R. Fivet Sunday, October 13, 2013 2:12 PM
    Sunday, October 13, 2013 2:11 PM