Windows Server

Al-Amin · Guest

Hi,
Iâ€™m using Windows SBS 2003 with about 60 computers using XP pro SP2 on the
network.

Out of the blues my administrator account no longer connects to the server
from client computers on the network. It gives me the error "Logon Failure:
The user has not been granted the requested logon type at this computer".

A day later I could no longer logon to the server. It would give me the
error message: â€œThe local policy of this system does not permit you to logon
interactivelyâ€. However I can still logon to the server remotely from any of
the systems on the network.

I believe my problems have to do with user rights specifically (Access this
computer from the Network, Allow Logon Locally & Allow Logon through terminal
services) not granted to the administrator. These rights were previously
defined but for some reason the local security policies have been altered.

I'm getting this error when attempting to grant a user any rights through
the local security policy. When I open up the Local Security Policy and
navigate to "User Rights assignment," I can open a policy and add a setting,
but when I click OK, I get this error:
"An extended error has occurred. Failed to save."
After I click through the box, and the name appears in the list, but when you
close/reopen the Local Security Policy, it's gone.

Iâ€™m in need of help

--
AIP Admin

Jenny wu [MSFT] · Guest

Hi,

Thanks for posting here!

For your description, I understand that you have some problems to access
the SBS server box locally or remotely. If I am off base, please don't
hesitate to let me know.

Before we go further, please kindly help me collect some information to
isolate the issue in order to resolve the issue efficiently:

1. In current status, Can you logon the server box remotely (from other
client computer)? Can you logon the server box locally (before the server
box)?

2. Do you try to use another Administrator user account to test? How about
the result? Do you try to create a new Administrator account using Add User
Wizard (Server Management console -> Users -> Add a User) to test? How
about the result?

3. Try to reboot the server box to refresh configuration and then test, how
about the result?

4. Which computer local security policy did you change to try to grant the
specific Administrator logon on locally and remotely permissions? Did the
issue that the local security policy can not saved happen on the specific
box random or always time? Does it happen on other computer?

5. Can you find any error events in Event Viewer? If yes, please tell me
the detail error information in the newsgroup or mal me the error log for
further analyze.

Save a text copy of Application /System log:
A. Open Event Viewer: Start -> All Programs -> Administrative Tools ->
Event Viewer.
B. Right-click on Application/System log and select "Save Log File As?".
Please send the log files to my mailbox:v-yanniw@microsoft.com

Additionally, I would like to give you some suggestions to try to trouble
shoot the issue:

I. As you known, the error "The local policy of this system does not permit
you to log on interactively" may occur if the user does not have "logon
locally" user right.

Please check if the user accounts who can not logon to the server is a
member of either the Remote Operators group or the Domain Power Users
group. On SBS 2003, the "Deny log on locally" policy setting is applied to
the Remote Operators group in the Default Domain Controllers Policy object.
This policy setting also applies to the Domain Power Users group because
the Domain Power Users group is a member of the Remote Operators group.
Since a deny policy always overrides an allow policy, this policy setting
prevents users from logging on to domain controllers in the domain, even if
the "Allow log on locally" policy applies to the same users.

Remove the Domain Users group or those users from the Remote Users group or
the Domain Power Users group. Try to test, how about the result?

Please refer to the following KB article to get detail methods:
"The local policy of this system does not permit you to logon
interactively" error message when you try to log on to a computer that is
running Windows Small Business Server 2003 by using an Administrator account
http://support.microsoft.com/?id=841188

II. And also try to check the following settings:

1. On the problematic Workstation, run rsop.msc to check the effective
"Allow logon locally" policy to make sure that the domain users group is
listed. If not, add it into the Default domain policy. In addition, make
sure that the "deny logon locally" policy is not defined in RSOP (Result
set of policy). In addition, check the "Access this computer from network"
policy to make sure that the everyone is listed and the "Deny access to
this computer from the network" is configured properly.

2. On the server, open Server Management console, locate Users node, right
click the user account and click Properties, click the Terminal Services
profile tab and make sure that the "Deny this user permissions to logon to
terminal server" option is uncheck.

3. To grant guests Logon rights to the RDP-TCP connection, start the
Terminal Services Configuration snap-in, edit the RDP-TCP so that the guest
has at least Logon rights.

For detail information, please see:
278433 Accessing Terminal Services Using New User Rights Options
http://support.microsoft.com/?id=278433

289289 Remote Desktop Connection "The Local Policy of This System Does Not
http://support.microsoft.com/?id=289289

I am currently standing by for your test result. I appreciate your time and
efforts to perform test and collect information. I am happy to be
assistance of you!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Al-Amin · Guest

Hi Jenny. Thanks for your post. I was starting to lose hope.
In reply to your questions.

1. Yes I can logon to the server box remotely using the built in
administrator account but no I canâ€™t logon to the server locally with the
same administrator account
2. I canâ€™t logon on locally with any of the other administrator accounts.
I created a new Administrator account using the add user wizard and it
allowed me to logon locally to the server box. But I still canâ€™t set local
policies
3. I have rebooted the server and I still get the same results
4. The policies I tried to change to allow local and remote logon are ACCESS
THIS COMPUTER FROM THE NETWORK and ALLOW LOGON LOCALLY in Domain Security
Policy>Local Policies>User Rights Assignment.
The issue of policies not saving happens all the time since I first
experienced the problems with the server box.
On other computers
5. I tried saving the application/security log but got the error UNABLE TO
SAVE EVENT LOG FILE. A REQUIRED PRIVILEDGE IS NOT HELD BY THE CLIENT

With regards to your suggestion for trouble shooting.
I. The user does not have the â€œlogon locallyâ€ user right and like I
mentioned I canâ€™t seem to grant the rights.
Secondly Iâ€™ve checked and the user is not a member of the Remote Operators
group but a member of Domain Power Users Group. I removed the user from the
groups and was able to logon locally. Thanks One problem solved.
II. Here are the results after I ran rsop.msc
i. The Domain Users Group is not listed in â€œAllow logon locallyâ€ policy. I
couldnâ€™t add it into the default domain policy
The â€œDeny logon locallyâ€ in RSOP is defined and lists SBS Remote Operators
and SBS STS Workers
â€œThe Access This computer from Networkâ€ policy is defined and everyone is
listed.
While the â€œDeny Access to this computer from the networkâ€ is not defined
ii. On Terminal services Tab â€œAllow Logon to terminal Server" is checked
Hope I got it right.

--
AIP Admin

""Jenny wu [MSFT]"" wrote:

Jenny wu [MSFT] · Guest

Hi,

Thanks for your update!

For your now scenario, I suggest you follow KB 816585 article to apply
predefined Security Template on SBS 2003 to restore security groups
permissions.

816585 HOW TO: Apply Predefined Security Templates in Windows Server 2003
http://support.microsoft.com/?id=816585

Note: please strictly follow the steps to process and create a backup file
of the SYSVOL share.

Next, run "gpupdate.exe /force" under command prompt to force the policy
refresh, reboot the Server to test. Additionally, domain user try to logoff
and then logon to client computer to test if user can save system logs.

If the issue persists, please help me collect group policy report for
further analyze:
1. Please run command " gpresult /v > c:\gpresult.txt" respectively in the
server box and some problematic workstation and find the files to mail to
me for analyze. My mailboxes: v-yanniw@microsoft.com

2. Collect system/security log in the server box and the problematic
workstation. If the user still can not save system log permissions, you can
try to use domain admin account to test, or logon on to local computer
using local Administrator account to test, how about the result?

I appreciate your time! I am look forward to hearing from you!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Al-Amin · Guest

Jenny Hi there and thanks for all the help.

I followed your instructions on applying the predefined security templates.
I also ran the gpupdate.exe /force. the administrator account still can't
connect to serverThe local policies are still set as before.

The user accounts are back online but unfortunately the administrative
account still canâ€™t connect to server from client computers. It still gives
the error "Logon Failure: The user has not been granted the requested logon
type at this computer".

I still canâ€™t set any of the local security policies on the server box. It
still fails to save giving the error message "An extended error has occurred.
Failed to save". I have e-mailed the group policy report and the system and
security logs from the server box to you.

Regards

--
AIP Admin

""Jenny wu [MSFT]"" wrote:

Jenny wu [MSFT] · Guest

Hi,

Thanks for your group policy information! After research your group policy,
I found the Default Domain Controllers policy has not been applied and many
default group policy settings has been changed.

For your now scenario, I suggest you backup your current group policy and
then try to reset all default Group Policy(s) for your SBS domain to test.

The only way that you can do it to use the GPMC.MSC console on a fresh
installed SBS Server, export all the GPO settings and import it to the
existing one.

For more info about GPMC, please refer to:
Backing up, Restoring, Migrating, and Copying GPOs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKi
t/937d5838-f720-4c0b-a65c-e8ed2658a414.mspx

If you have not a fresh installed SBS Server, you can also try to export
fine running SBS server group policy settings to test. If you can not get
that resource, please let me know I will mail you it.

I appreciate your time and efforts to perform test. I am happy to be
further assistance and looking forward to your reply!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Al-Amin · Guest

Hi,
I have backed up the GPO's like you suggested but unfortunately i couldn't
reset the default group policy because i don't have a fresh installed SBS
server. I would really apreciate it if you could e-mail it to me.

Thanks for the assistance. It's much appreciated
--
AIP Admin

""Jenny wu [MSFT]"" wrote:

Jenny wu [MSFT] · Guest

Hi,

Thanks for your update! I have attached the default group policy backup
file in mail, please try to import these files to reset your domain group
policy.

Note: Before do this process, please take a full backup of SBS server box
in case unexpected thing, you can restore:

Backing Up and Restoring Windows Small Business Server 2003
http://download.microsoft.com/download/b/d/8/bd8e1a40-d202-429a-8eb7-26300d6
2bcc9/BKU_BkupRstr.doc

You can refer to the following steps to import default group policy:
1. Run command "gpmc.msc" (no quotation marks) to open Group Policy
Management console.
2. Locate Forest servername -> Group Policy Objects, right click Default
Domain Controllers Policy and choose Import Settings ¡ item to import
appropriate group policy from backup file I sent you.
3. Repeat step 2 to import these default group policies.
4. After please check if these group policy object links to appropriate OU
(still in the Group Policy Management console):

a. Go to Forest servername -> Domains -> servername.local, there are
following group policies links to it:
+++Default Domain Policy
+++Small Business Server Client Computer
+++Small Business Server Domain Password Policy
+++Small Business Server Internet Connection Firewall
+++Small Business Server Lockout Policy
+++Small Business Server Remote Assistance Policy
+++Small Business Server Windows Firewall

b. Go to Forest servername -> Domains -> Domain Controllers, there are
following group policies links to it:
+++Default Domain Controllers Policy
+++Small Business Server Auditing Policy

c. Go to Forest servername -> Domains -> MyBusiness -> Security Groups,
there are following group policies links to it:
+++Default Domain Policy

If not, please try to correct, and then try to test to see if the issue be
fixed.

I appreciate your time and efforts to the issue. I am happy to be
assistance of you and look forward to your reply!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technica

Can't set Local Security policies. They fail to save Goto page 1, 2 Next