0

I have Windows Server 2003 and all the users have windows XP with administrative privileges in local group setting, so I want to reduce them to normal users. i.e. Currently normal user in active directory and administrator on his/her local setting machine. When I try to remove the user from the administrators local group I can not logon again. There is a message saying

The local policy of this system does not permit you to log on interactively

I fixed this problem by created a new policy in the computers group computer configuration --> windows setting --> security setting --> then expand local policy --> user rights assignment --> logon locally. So I added the users I want to logon with administrative privileges and administrator because I can not add a user or group without the administrator account.

It was working like magic but now I have another problem. Every time when the user logs on to Windows it acts like the first logon. For example, I create some folders and files on the desktop and I made some customization on screen. When I restart the computer and log on again nothing appeared on the desktop. It looked just like the first logon on the computer.

Improve this question

4 Answers 4

Reset to default
1

Take a look at the event log of the client computer you are using to log on. Typically you will find log entries to any problems regarding the user profile there.

As Gaurav, I suspect that the user profile could not be loaded for the user in question. The most plausible cause would be the lack of permissions to access the user profile directory or the user's own registry.

Improve this answer
2
  • Event viewer 1-application unable complete the operation on it access is denied, Internet explorer is empty, Microsoft-Windows-Forwarding/Operational is empty, Security unable to complete operation on it a required privilege in not held by the client, System is also access denied and the last one is windows power-shell is empty and I don't want to logoff the session and logon with administrator because everything will be erased another ideas please? Commented May 31, 2011 at 12:05
  • If you want to keep the data, just copy everything inside %userprofile% to another directory - you can copy it back in after you've fixed it. NTUSER.DAT won't copy due to an exclusive lock. If you also would like to keep your settings which are stored in the registry, use the reg export HKCU c:\somewhere_safe\ntuser.dat command. Then fix the permissions using the copy user profile feature as KCotreau said. Commented May 31, 2011 at 13:00
1

You are having problems with the profile in C:\Documents and Settings\profilename not having enough rights as syneticon-dj said.

There are other ways to fix this, but I am going to describe a way that should take further issues out of it by letting Windows make the changes:

  1. Create a new local user "Temp" (does not have to be a domain user).
  2. Log in as that user to create a profile.
  3. Reboot to get that profile out of memory so no files are in use.
  4. Log in as administrator (local or domain, as long as you have local admin privileges).
  5. Go to My Computer>Properties>Advanced>User Profiles>Settings. Highlight the domain user's user profile and copy it.
  6. Browse to C:\Documents and Settings\Temp and click "Permitted to use" and select your domain user. Steps 5+6 are necessary since you can't copy a profile onto itself.
  7. Once copied, do the same thing, but this time copy Temp's profile to the original C:\Documents and Settings\profilename and select the original domain user for "Permitted to use". Now since it is in a different location (temp's profile), this copy is copying a copy of the same profile back and letting Windows set the appropriate permissions.

In the alternative, you can try giving them full permissions to C:\Documents and Settings\profilename and to their HKCU hive, but that might be too liberal (too many security rights), which is why I showed you a way to let Windows do it for you.

Improve this answer
2
  • I created temp user on local machine but can't login on local machine the error message is The local policy of this system does not permit you to log on interactively.now what should I do? Commented May 31, 2011 at 13:01
  • Do exactly what you did in your qestion...computers group computer configuration --> windows setting --> security setting --> then expand local policy --> user rights assignment --> logon locally. Add the local temp user. If you have domain group policy overriding this, make the user Temp a domain account and do the same thing. Commented May 31, 2011 at 13:45
0

It seems that when ever user logon, temp profile is created. I suggest to please check whether are connected to Domain or not.

Improve this answer
2
  • Certainly yes, it is connect to the domain because I'm using user was created by domain not workgroup Commented May 31, 2011 at 9:24
  • another ideas please? Commented May 31, 2011 at 9:24
0

Guys I fixed thanks all and I will explain how I did it, First step in windows server 2003 go to start -->administrative tools-->domain controller security policy-->security setting-->local policies-->user Rights assignment-->allow log on locally then add you domain user for example your domain\users. Second step create OU for computers group give it name example login as normal user-->right click on new OU properties-->computer configuration--windows setting-->security setting-->local policies-->user rights assignment-->edit log on locally then add administrators and also your domain users.Thanks alot all

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.