Logon Problem

Hi, I have windows server 2008 r2 foundation as active directory domain controller and 5 client mashines running xp pro. when I try to log on to the domain from any of the client I get the message "The local policy of this system does not permit you to logon interactively" any ideas how to resolve this problem? thanks

That particular error is controlled by a local security policy setting. It is affected by both the Allow log on locally and the Deny log on locally setting.
So, log on to the local machine with a local administrator account (not domain admin or user, local admin only) and type
secpol.msc into the search or run dialog box and hit enter
In the left column
Expand Local Policies
Select User Rigts Assignment and examine who is listed for both of those policies.
You should see users and administrators groups included in allowed and they should not be present in deny (usually only guests).
Check each indivdual client machine for these settings.
If they appear to be correct and you are certain that no user is included in any group that is listed in the Deny log on locally then;
Take one of the client machines and unjoin it from the domain, join it back to a work group (anyname, workgroup is fine) then,
Check the server and make sure you remove the machine account for that computer from the Active Directory database.
Reboot the client computer, log on as a local administrator and rejoin the domain, reboot again and try to logon with domain credentials, start with domain admin account just to make sure.

Originally Posted by Trouble

That particular error is controlled by a local security policy setting. It is affected by both the Allow log on locally and the Deny log on locally setting.
So, log on to the local machine with a local administrator account (not domain admin or user, local admin only) and type
secpol.msc into the search or run dialog box and hit enter
In the left column
Expand Local Policies
Select User Rigts Assignment and examine who is listed for both of those policies.
You should see users and administrators groups included in allowed and they should not be present in deny (usually only guests).
Check each indivdual client machine for these settings.
If they appear to be correct and you are certain that no user is included in any group that is listed in the Deny log on locally then;
Take one of the client machines and unjoin it from the domain, join it back to a work group (anyname, workgroup is fine) then,
Check the server and make sure you remove the machine account for that computer from the Active Directory database.
Reboot the client computer, log on as a local administrator and rejoin the domain, reboot again and try to logon with domain credentials, start with domain admin account just to make sure.

I checked those two policies and deny logon has guest and logon locally only administrators i tried to add users but the option for adding users or groups is greyed out even logging in as an administrator

That would suggest that the actual local policy is being impacted by a persistent Domain Policy. If you try unjoining the machine from the domain as I suggested earlier are you able to effectively change the settings to include users?
Additionally adding the domain users group to the local administrators group on the client machine might help. Can you log on to the local machine using the domain administrator's credentials (domain admins are automatically added to the local admins group I believe)?
Have you added or changed any OUs or GPOs recently or are you aware of any MS security updates to the server that may have affected (like did you recently install service Pack 1 for 2k8r2 server).

Originally Posted by Trouble

That would suggest that the actual local policy is being impacted by a persistent Domain Policy. If you try unjoining the machine from the domain as I suggested earlier are you able to effectively change the settings to include users?
Additionally adding the domain users group to the local administrators group on the client machine might help. Can you log on to the local machine using the domain administrator's credentials (domain admins are automatically added to the local admins group I believe)?
Have you added or changed any OUs or GPOs recently or are you aware of any MS security updates to the server that may have affected (like did you recently install service Pack 1 for 2k8r2 server).

Definetly is a domain policy overiding the local policy it let me change the settings when out of the domain. What should I look for on the domain policy. It only has the default domain policy and the default domain controller policy.

Sorry I don't have my 2k8 r2 server up and running right now so I can't help with specifics except to say that you will probably need to take a look at RSoP for the specific container that includes your users and or computers that are having problems logging on. This may help some if you're not familiar with the Resulatant Set of Policies Snap-In.
Remember domain policies can affect both users, groups, computers, and OUs, so double check for any conflicting group memberships.
You still haven't said whether or not you can logon to the problem client machines using the domain administrator's account. Yes or No?
This will help determine if it's a user/group issue or a computer/machine issue.

I added domain users and administrators to the allow logon locally and allow log on throu remote desktop services
on both domain policy and domain controller policy and now I can log on any client computer to the domain thanks Randy once again for pointing me in the right direction.