Intermittent "...local policy...does not permit...logon interactively"

[maxd]

3 days ago one of the users on our Win2k network reported that he was getting the "The local policy of this system does not permit you to logon interactively" error message, out of the blue. Rebooting his computer fixed the problem.

The next day, 2 more people reported the same error. The first of the two fixed it on his own by rebooting. The second was not able to correct the problem by rebooting, and her workstation was down for the rest of the day. The frustrating thing was that every account, including the local workstation admin account, was getting the error. We authenticate to the server when logging in, so in most cases there is only the admin account defined locally.

I tried to replace her %SystemRoot%\Security\Database\ Secedit.sdb file with one from a functioning workstation (I managed to get into the %SystemRoot% by using the Win2K Recovery Console), but it did not fix the problem. This morning her computer had miraculously fixed itself, allowing normal login for admin as well as authenticated users.

The person whose computer was down for a day was able to log into the domain from a different workstation, so I believe that means the problem isn't outside of the Local Policy settings on the affected workstation, doesn't it?

Quite a puzzle...has anyone seen this kind of spontaneous error recently, or do you have any suggestions as to what might have caused it?

The only thing I know of that has changed recently is the ongoing patching of the server as Microsoft comes out with new Win2K patches. We applied some patches the day before the first incident happened, though I don't know which ones. But in none of these cases was anything changed on the workstations, and none of the workstations have a "Deny Logon Locally" policy setting.

Thanks for any ideas!

 

[jamk555]

Good question. Check the permissions on the sysvol on the server and the c$ share on the offending users desktop. I vaguely recall an issue with incorrect permissions.

Just a point in a direction. May not be right, but maybe it will spark some other ideas.

 

[maxd]

Thanks Jamk,

The problem got worse for a while, before we figured it out. It looks like the problem involved our backup server. We'd been seeing an increasing number of errors in the backup logs and in an effort to fix the problems the backup software company tech support had us give the backup server local login rights to the domain.

Somehow, doing this started preventing the users from being able to log into the domain -- everyone began to get the error, even though no explicit exclusion of local logon rights existed. Since we have our users authenticate to the domain we fixed it by giving the Authenticated Users group local login rights. Everyone seems happy now.

It was weird, though -- all we could figure is that giving one user (the backup server) local login rights to the domain caused it to reject any user that didn't have a right defined. And still unexplained is why the local workstation administrator accounts were also locked out -- they should have been unaffected, no matter what the rights to the domain looked like, shouldn't they?

Anyway, all appears normal once again =).