Hi all,
I've just installed a Win2k3 server (Domain Controller) onto a customers network. I've done a whole heap of these in the past and this is the first one I've had problems with.
The problem I've got is that only Domain Admins can log on. Now, I admit I have been playing the the default domain controller policy insofar as configuring the message box that appears at logon on the server with our new disclaimer and technical support information. Somehow, I don't quite know how, after doing a gpupdate this has interfered with the default domain policy is only allowing domain admins and administrators the rights to log in from any 2000/XP client machine. I even created another organisational unit and blocked inheritance and configured a brand new policy for that and still the user can only login if they're in the domain admins group otherwise you get the error message "the local policy does not allow to logon interactively".
So then, all users are now in the Domain Admins group otherwise they can't logon. I have set up a pretty strict policy (which I've done before at other sites) by preventing a right-click on the My Computer icon and removing the My Network Places icon from the desktop. These people aren't going to cause any problems so it's kinda safe. I daren't touch it now as all users can logon to the DC. DOH!
Any ideas anyone? Any help would be much appreciated. That'll teach me for playing!!!
I've just installed a Win2k3 server (Domain Controller) onto a customers network. I've done a whole heap of these in the past and this is the first one I've had problems with.
The problem I've got is that only Domain Admins can log on. Now, I admit I have been playing the the default domain controller policy insofar as configuring the message box that appears at logon on the server with our new disclaimer and technical support information. Somehow, I don't quite know how, after doing a gpupdate this has interfered with the default domain policy is only allowing domain admins and administrators the rights to log in from any 2000/XP client machine. I even created another organisational unit and blocked inheritance and configured a brand new policy for that and still the user can only login if they're in the domain admins group otherwise you get the error message "the local policy does not allow to logon interactively".
So then, all users are now in the Domain Admins group otherwise they can't logon. I have set up a pretty strict policy (which I've done before at other sites) by preventing a right-click on the My Computer icon and removing the My Network Places icon from the desktop. These people aren't going to cause any problems so it's kinda safe. I daren't touch it now as all users can logon to the DC. DOH!
Any ideas anyone? Any help would be much appreciated. That'll teach me for playing!!!
