Discussion:
Your interactive logon privilege has been disabled
(too old to reply)
Tim David
2004-08-23 13:39:02 UTC
Permalink
We have XP workstations running on an NT domain. We have a PC set up
for users to use when they need to run a particular piece of software
that we only have one licence for, they have a shortcut to an .rdp
file on their desktops that connects them via remote desktop to the PC
where they logon with their standard NT logon.
On our PCs the standard setup for Remote Desktop is to allow the
Domain Administrators group and a global group called Remote Desktop
to logon through a connection, all other groups are denied (not
specifically but not allowing in this case denies)
On this particular PC the global group that uses the PC is added to
the allowed users. This has been working fine for a couple of months.
However I now have one user that can't get logged on, she gets 'Your
interactive logon privilege has been disabled' I have checked the
account and the PC; she is still in the group and the group still has
permissions.
Creating a copy of her account (within NT user Manager) for testing
revealed that this copy account also has the same problem. A fresh
account set up with the same global groups etc does not suffer from
this problem. Also a copy of another user's account within the same
department does not suffer.
I have also tried adding individual permission for the user to log
onto the PC and putting her in the global Remote Desktop group and
testing connecting to another PC with no joy.

The problem looks to be with the user's account but is not in any of
the settings configurable from User Manager. Now I am a bit stumped. I
am loath to delete and recreate her account as it would be a lot of
work changing permissions on all her stuff to allow for the new SID,
plus she has a laptop with a local profile.
Does anyone have any ideas?

Tim
Jeffrey Randow (MVP)
2004-08-24 01:53:23 UTC
Permalink
This is a thought, but perhaps access to the terminal server is
disabled in the domain user account. I know how and where to set this
in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
this to one of the Terminal Server newsgroups to see if any of them
may remember where this setting was for NT 4.

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-***@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
Post by Tim David
We have XP workstations running on an NT domain. We have a PC set up
for users to use when they need to run a particular piece of software
that we only have one licence for, they have a shortcut to an .rdp
file on their desktops that connects them via remote desktop to the PC
where they logon with their standard NT logon.
On our PCs the standard setup for Remote Desktop is to allow the
Domain Administrators group and a global group called Remote Desktop
to logon through a connection, all other groups are denied (not
specifically but not allowing in this case denies)
On this particular PC the global group that uses the PC is added to
the allowed users. This has been working fine for a couple of months.
However I now have one user that can't get logged on, she gets 'Your
interactive logon privilege has been disabled' I have checked the
account and the PC; she is still in the group and the group still has
permissions.
Creating a copy of her account (within NT user Manager) for testing
revealed that this copy account also has the same problem. A fresh
account set up with the same global groups etc does not suffer from
this problem. Also a copy of another user's account within the same
department does not suffer.
I have also tried adding individual permission for the user to log
onto the PC and putting her in the global Remote Desktop group and
testing connecting to another PC with no joy.
The problem looks to be with the user's account but is not in any of
the settings configurable from User Manager. Now I am a bit stumped. I
am loath to delete and recreate her account as it would be a lot of
work changing permissions on all her stuff to allow for the new SID,
plus she has a laptop with a local profile.
Does anyone have any ideas?
Tim
Tim David
2004-08-25 13:40:52 UTC
Permalink
OK thanks, I have asked the question (
http://makeashorterlink.com/?T2E325229 ) and will post the answer here
if I find out.

Tim
Post by Jeffrey Randow (MVP)
This is a thought, but perhaps access to the terminal server is
disabled in the domain user account. I know how and where to set this
in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
this to one of the Terminal Server newsgroups to see if any of them
may remember where this setting was for NT 4.
Jeffrey Randow (Windows Networking & Smart Display MVP)
Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....
Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
Post by Tim David
We have XP workstations running on an NT domain. We have a PC set up
for users to use when they need to run a particular piece of software
that we only have one licence for, they have a shortcut to an .rdp
file on their desktops that connects them via remote desktop to the PC
where they logon with their standard NT logon.
On our PCs the standard setup for Remote Desktop is to allow the
Domain Administrators group and a global group called Remote Desktop
to logon through a connection, all other groups are denied (not
specifically but not allowing in this case denies)
On this particular PC the global group that uses the PC is added to
the allowed users. This has been working fine for a couple of months.
However I now have one user that can't get logged on, she gets 'Your
interactive logon privilege has been disabled' I have checked the
account and the PC; she is still in the group and the group still has
permissions.
Creating a copy of her account (within NT user Manager) for testing
revealed that this copy account also has the same problem. A fresh
account set up with the same global groups etc does not suffer from
this problem. Also a copy of another user's account within the same
department does not suffer.
I have also tried adding individual permission for the user to log
onto the PC and putting her in the global Remote Desktop group and
testing connecting to another PC with no joy.
The problem looks to be with the user's account but is not in any of
the settings configurable from User Manager. Now I am a bit stumped. I
am loath to delete and recreate her account as it would be a lot of
work changing permissions on all her stuff to allow for the new SID,
plus she has a laptop with a local profile.
Does anyone have any ideas?
Tim
Tim David
2004-08-26 12:10:24 UTC
Permalink
Have discovered a solution. We use Hyena which is designed for both NT
and Ad domains within the user settings in Hyena there is a an option
to allow or disallow Terminal Services for the user. Changing this
seems to have the affect you would expect, however I don't know how
Microsoft expect you to access it without a third party tool!

Tim
Post by Tim David
OK thanks, I have asked the question (
http://makeashorterlink.com/?T2E325229 ) and will post the answer here
if I find out.
Tim
Post by Jeffrey Randow (MVP)
This is a thought, but perhaps access to the terminal server is
disabled in the domain user account. I know how and where to set this
in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
this to one of the Terminal Server newsgroups to see if any of them
may remember where this setting was for NT 4.
Jeffrey Randow (Windows Networking & Smart Display MVP)
Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....
Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
Post by Tim David
We have XP workstations running on an NT domain. We have a PC set up
for users to use when they need to run a particular piece of software
that we only have one licence for, they have a shortcut to an .rdp
file on their desktops that connects them via remote desktop to the PC
where they logon with their standard NT logon.
On our PCs the standard setup for Remote Desktop is to allow the
Domain Administrators group and a global group called Remote Desktop
to logon through a connection, all other groups are denied (not
specifically but not allowing in this case denies)
On this particular PC the global group that uses the PC is added to
the allowed users. This has been working fine for a couple of months.
However I now have one user that can't get logged on, she gets 'Your
interactive logon privilege has been disabled' I have checked the
account and the PC; she is still in the group and the group still has
permissions.
Creating a copy of her account (within NT user Manager) for testing
revealed that this copy account also has the same problem. A fresh
account set up with the same global groups etc does not suffer from
this problem. Also a copy of another user's account within the same
department does not suffer.
I have also tried adding individual permission for the user to log
onto the PC and putting her in the global Remote Desktop group and
testing connecting to another PC with no joy.
The problem looks to be with the user's account but is not in any of
the settings configurable from User Manager. Now I am a bit stumped. I
am loath to delete and recreate her account as it would be a lot of
work changing permissions on all her stuff to allow for the new SID,
plus she has a laptop with a local profile.
Does anyone have any ideas?
Tim
Bill Sanderson
2004-08-26 21:47:14 UTC
Permalink
One question that arises in my mind:

You mentioned that a newly created profile didn't have the problem.

I wonder what mechanism created the change in the setting which you were
able to reverse using the Hyena-related management tool?

Is it possible that, in fact, the Hyena tool is both cause and cure?

There is, of course, an NT-based terminal server. I've never used it, and
don't have any idea what management tools were available for it. I assume
you don't have one of those beasts, either.
Post by Tim David
Have discovered a solution. We use Hyena which is designed for both NT
and Ad domains within the user settings in Hyena there is a an option
to allow or disallow Terminal Services for the user. Changing this
seems to have the affect you would expect, however I don't know how
Microsoft expect you to access it without a third party tool!
Tim
Post by Tim David
OK thanks, I have asked the question (
http://makeashorterlink.com/?T2E325229 ) and will post the answer here
if I find out.
Tim
Post by Jeffrey Randow (MVP)
This is a thought, but perhaps access to the terminal server is
disabled in the domain user account. I know how and where to set this
in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
this to one of the Terminal Server newsgroups to see if any of them
may remember where this setting was for NT 4.
Jeffrey Randow (Windows Networking & Smart Display MVP)
Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....
Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
Post by Tim David
We have XP workstations running on an NT domain. We have a PC set up
for users to use when they need to run a particular piece of software
that we only have one licence for, they have a shortcut to an .rdp
file on their desktops that connects them via remote desktop to the PC
where they logon with their standard NT logon.
On our PCs the standard setup for Remote Desktop is to allow the
Domain Administrators group and a global group called Remote Desktop
to logon through a connection, all other groups are denied (not
specifically but not allowing in this case denies)
On this particular PC the global group that uses the PC is added to
the allowed users. This has been working fine for a couple of months.
However I now have one user that can't get logged on, she gets 'Your
interactive logon privilege has been disabled' I have checked the
account and the PC; she is still in the group and the group still has
permissions.
Creating a copy of her account (within NT user Manager) for testing
revealed that this copy account also has the same problem. A fresh
account set up with the same global groups etc does not suffer from
this problem. Also a copy of another user's account within the same
department does not suffer.
I have also tried adding individual permission for the user to log
onto the PC and putting her in the global Remote Desktop group and
testing connecting to another PC with no joy.
The problem looks to be with the user's account but is not in any of
the settings configurable from User Manager. Now I am a bit stumped. I
am loath to delete and recreate her account as it would be a lot of
work changing permissions on all her stuff to allow for the new SID,
plus she has a laptop with a local profile.
Does anyone have any ideas?
Tim
Kevin Stanush
2004-08-28 02:36:53 UTC
Permalink
The error that you are getting could either be from a user right that
prevents interactive logon or a terminal server setting. User Rights
are visible in User Manager or Hyena (look under User Rights under any
domain). There is a specific right for interactive logon.

Terminal server (TSE) settings are more complicated. Since NT was
designed before Terminal Server, the settings can be in a state of
'limbo' when creating new user accounts using User Manager. In Hyena,
the Terminal tab on the user properties dialog will let you
allow/disallow logon to terminal sever sessions. Without checking in
more detail, I think the default is to disallow logon in Hyena to TSE
(since it can be a security concern), but there was a bug in some
versions of Windows that caused this setting to be corrupted when
changing other non-TSE values, since they are kept in the same binary
field. Perhaps your user account simply lost this setting and needed
to have it re-enabled to logon.

If you need more information, open a support case with us by sending
an email to ***@systemtools.com.

Kevin Stanush
SystemTools Software Inc.
Home of 'Hyena' for Windows Adminstration
http://www.systemtools.com
Post by Tim David
Have discovered a solution. We use Hyena which is designed for both NT
and Ad domains within the user settings in Hyena there is a an option
to allow or disallow Terminal Services for the user. Changing this
seems to have the affect you would expect, however I don't know how
Microsoft expect you to access it without a third party tool!
Tim
Tim David
2004-09-03 09:03:02 UTC
Permalink
I have since discovered that the settings to allow/disallow terminal
services IS present in the Windows 2000 version of User Manager, so if
you check from a 2000 server you should have no problems, meaning that
you don't need Hyena.
How the setting got changed in the first place is another matter!

Tim
Post by Kevin Stanush
The error that you are getting could either be from a user right that
prevents interactive logon or a terminal server setting. User Rights
are visible in User Manager or Hyena (look under User Rights under any
domain). There is a specific right for interactive logon.
Terminal server (TSE) settings are more complicated. Since NT was
designed before Terminal Server, the settings can be in a state of
'limbo' when creating new user accounts using User Manager. In Hyena,
the Terminal tab on the user properties dialog will let you
allow/disallow logon to terminal sever sessions. Without checking in
more detail, I think the default is to disallow logon in Hyena to TSE
(since it can be a security concern), but there was a bug in some
versions of Windows that caused this setting to be corrupted when
changing other non-TSE values, since they are kept in the same binary
field. Perhaps your user account simply lost this setting and needed
to have it re-enabled to logon.
If you need more information, open a support case with us by sending
Kevin Stanush
SystemTools Software Inc.
Home of 'Hyena' for Windows Adminstration
http://www.systemtools.com
Post by Tim David
Have discovered a solution. We use Hyena which is designed for both NT
and Ad domains within the user settings in Hyena there is a an option
to allow or disallow Terminal Services for the user. Changing this
seems to have the affect you would expect, however I don't know how
Microsoft expect you to access it without a third party tool!
Tim
Loading...