In Windows 2000 (and Windows Server 2003) servers that are configured as Domain Controllers only 5 groups have the right to log on locally on the computer. Those groups are:
Administrators, Account, Print, Backup, and Server Operators.
Without this right any user who will try to log on locally will receive this message:
(The local policy of this system does not permit you to log-on interactively)
To give a specific user or group the right to log on locally on the DC you must edit the Domain Controller GPO (or create another one and link it to the Domain Controllers OU in Active Directory Users and Computers). Most novice IT personnel find it harder to add user rights on W2K than in Windows NT 4. I agree, but life goes on, doesn't it?
To make life easier run this command and you won't have to edit the GPO:
ntrights -u Users +r SeInteractiveLogonRight
You must have the NTRIGHTS.EXE program from the W2K Resource kit (or d/l it from HERE).
(You can substitue USERS with the name of the user or group you want to configure).
If you still want to do it via the GPO, do the following:
-
Go to Start, Settings, Control Panel, Administrative Settings.
-
Double-click Domain Controller Security Policy.
-
Go to Security Settings, Local Policies, User Rights.
-
Double-click Logon Locally on the right pane.
-
Click Add, Browse, and double click the user or group you want to add.
-
Click Ok all the way out.
-
Reboot your computer, or even better, use SECEDIT:
secedit /refreshpolicy machine_policy /enforce
By the way, in Windows Server 2003 the same user right is called "Allow Logon Locally", and to refresh the policy you need to run a different command:
gpupdate /force