"The local policy of this system does not permit you to logon interactively" error message when you try to log on to a computer that is running Windows Small Business Server 2003 by using an Administrator account (841188)

SYMPTOMS

When you try to log on locally to a computer that is running Microsoft Windows Small Business Server 2003 by using the built-in Administrator account, or by using an account that is a member of the Administrators group, you receive the following error message:

The local policy of this system does not permit you to logon interactively.

However, if you try to access the computer from a remote workstation, or by using a Remote Desktop Connection session, you can log on successfully.

When this issue occurs, an event that is similar to the following may appear in the security log in the Event Viewer:Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: computername
Description:
Logon Failure:
Reason: The user has not been granted the requested logon type at this machine
User Name: administrator
Domain: EXAMPLE
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computername
Caller User Name: computername$
Caller Domain: EXAMPLE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5828
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 0

CAUSE

This issue occurs if the user account that you use to log on is a member of one or both of the following groups:

The Domain Power Users group
The Remote Operators group

In Windows Small Business Server 2003, the "Deny log on locally" policy setting is applied to the Remote Operators group in the Default Domain Controllers Group Policy object. This policy setting also applies to the Domain Power Users group because the Domain Power Users group is a member of the Remote Operators group.

Because a Deny permission overrides an Allow permission, this policy setting prevents users from logging on to domain controllers in the domain, even if the "Allow log on locally" policy applies to those same users.

Note Sometimes, the Administrator account may be a member of the Remote Operators group or the Domain Power Users group because of group nesting. For example, the Administrator account is a member of the Mobile Users group. Therefore, if you add the Mobile Users group as a member of the Remote Operators group, the Administrator account becomes a member of the Remote Operators group because of group nesting.

RESOLUTION

To resolve this issue, remove the Administrator account from the Remote Operators group and the Domain Power Users group. You also must remove any group that contains the Administrator account from the Remote Operators group and the Domain Power Users group.

You can make this change either by connecting to the Windows Small Business Server-based computer with a Remote Desktop connection or by installing the Microsoft Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a Microsoft Windows XP Professional-based computer.

For additional information about the Windows Server Administration Tools Pack, click the following article number to view the article in the Microsoft Knowledge Base:

304718 Administering Windows Server-based computers using Windows XP Professional-based clients

To remove members from the Remote Operators group and the Domain Power Users group, follow these steps:

After you connect to the Windows Small Business Server-based computer with a Remote Desktop connection or with the Windows Server Administration Tools Pack, start Active Directory Users and Computers.
Expand the domain object, expand MyBusiness, and then click Security Groups.
Double-click Remote Operators, and then click the Members tab.

Note By default, only the Domain Power Users group appears in the Members list.
Click the account or the group that you want to remove, click Remove, and then click Yes to confirm the removal of this user account or group.
When you are finished removing user accounts and groups from the Members list, click OK.

Note Do not remove the Domain Power Users group from the Members list.
In the Security Groups list, double-click Domain Power Users.
Click the Members tab.

Note By default, only the Power User Template and user accounts that the Power User Template is applied to appears in the Members list.
Click any group or account that you want to remove except for the Power User Template and except for the accounts that the Power User Template is applied to, click Remove, and then click Yes to confirm the removal of that user or group. In particular, remove the Administrator account or any group that might contain the Administrator account.

By default, the built-in Administrator in Windows Small Business Server is a member of the following groups:
- Administrators
- Domain Admins
- Domain Users
- Enterprise Admins
- Group Policy Creator Owners
- Mobile Users
- Schema Admins
To check what groups an Administrator account is a member of, open the Users folder in Active Directory Users and Computers, double-click the Administrator account, and then click the Member Of tab. You can double-click the groups that are listed on the Member of tab to open their Properties. If the group membership settings on the server are much different from the default settings, make sure that the groups that contain the user account are not nested in other groups.
When you are finished modifying the group membership, click OK.

MORE INFORMATION

To grant a user the right to make a Remote Desktop connection to the Windows Small Business Server 2003-based computer to perform administrative tasks, apply the Power Users Template to that user account. You can apply this template when you create the user account or by running the Change User Permissions Wizard.

Important When you apply the Power Users Template to a user account, that user account is specifically denied access to log on to the Windows Small Business Server 2003-based computer from the local console. Therefore, do not apply this template to an Administrator account. For more information about how to apply templates to user accounts, see the "Manage users and groups" topic in Windows Small Business Server Help and Information.