An administrator cannot log on locally to Windows SBS 2003

Article translations Article translations
Article ID: 841188 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When you try to use the built-in Administrator account or an account that is a member of the Administrators group to log on locally to a computer that is running Microsoft Windows Small Business Server (Windows SBS) 2003, you receive the following error message: 
The local policy of this system does not permit you to logon interactively.
However, if you try to log on to the Windows SBS computer from a remote workstation or by using a Remote Desktop Connection session, you can log on successfully. 

Resolution

To resolve this issue, remove the Administrator account from the Remote Operators group and from the Domain Power Users group. Also, remove any group that contains the Administrator account from the Remote Operators group and the Domain Power Users group.


You can make this change by doing one of the following:
  • Use a Remote Desktop connection to connect to the Windows SBS computer.
  • Install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional.

For more information about the Windows Server Administration Tools Pack, see How to use the Administration Tools Pack to remotely administer computers that are running Windows Server 2003, Windows XP, or Windows 2000.


To remove members from the Remote Operators group and the Domain Power Users group, follow these steps:
  1. After you connect to the computer that is running Windows SBS by using a Remote Desktop connection or by using the Windows Server Administration Tools Pack, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand the domain object, expand MyBusiness, and then click Security Groups.
    Note In this example screen shot, the domain object is "contoso.local." Your domain object will be your_domain.local, where your_domain is the name of your domain.

    Collapse this imageExpand this image
    2678491
  3. Double-click Remote Operators, and then click the Members tab.

    Note The Domain Power Users group always appears in the Members list. Although this screen shot doesn’t show other members, your screen may show other groups or user accounts in the list. When you remove groups or user accounts from the Members list, do not remove the Domain Power Users group.

    Collapse this imageExpand this image
    2678492
  4. Click the user account or the group that you want to remove, click Remove, and then click Yes to confirm the removal.
  5. Repeat step 4 for every account or group that you want to remove, and when you are finished, click OK.
  6. In the Security Groups list, double-click Domain Power Users.
  7. Click the Members tab.

    Note Only the Power User Template and user accounts that the Power User Template is applied to should appear in the Members list. Do not remove the Power User Template or the user accounts that have the Power User Template.

    Collapse this imageExpand this image
    2678220
    IMPORTANT: When you apply the Power Users Template to a user account, that user account is specifically denied access to log on to the Windows Small Business Server 2003 computer from the local console. Therefore, don't apply this template to an Administrator account. For more information about how to apply templates to user accounts, see the "Manage users and groups" topic in Windows Small Business Server Help and Information.

    Collapse this imageExpand this image
    2678493
  8. Click a group or account that you want to remove, click Remove, and then click Yes to confirm the removal. In particular, make sure that you remove the Administrator account or any group that might contain the Administrator account. 

    Note Sometimes, the Administrator account may become a member of the Remote Operators group or the Domain Power Users group throughgroup nesting. For example, the built-in Administrator account is automatically a member of the Mobile Users group. Therefore, if you add the Mobile Users group as a member of the Remote Operators group, the Administrator account automatically becomes a member of the Remote Operators group because the Mobile Users group is nested in the Remote Operators group.

    By default, the built-in Administrator in Windows Small Business Server is a member of the following groups:
    • Administrators
    • Domain Admins
    • Domain Users
    • Enterprise Admins
    • Group Policy Creator Owners
    • Mobile Users
    • Schema Admins
    To see what groups an administrator account is a member of, follow these steps: 
    1. In Active Directory Users and Computers, click Users.

      Note Make sure that you click the Users folder in the domain container and not in the MyBusiness container.

      Collapse this imageExpand this image
      2678494
    2. Double-click Administrator.
    3. Click the Member Of tab.

      Collapse this imageExpand this image
      2678495
    4. Double-click the groups that are listed on the Member Of tab to open their properties. If the group membership settings on the server are very different from the default settings, make sure that the groups that contain the user account are not nested in other groups.
  9. When you are finished changing the group membership, click OK.

More information

In Windows Small Business Server 2003, the "Deny log on locally" policy setting is applied to the Remote Operators group in the Default Domain Controllers Group Policy Object. This policy setting also applies to the Domain Power Users group because the Domain Power Users group is a member of the Remote Operators group. Because a Deny permission overrides an Allow permission, this policy setting prevents users from logging on to domain controllers in the domain, even if the "Allow log on locally" policy applies to those same users. 

To grant a user rights to to perform administrative tasks over a Remote Desktop connection to the Windows Small Business Server 2003 computer, apply the Power Users Template to that user account. You can apply this template when you create the user account or by running the Change User Permissions Wizard. 

 

When this issue occurs, an event that resembles the following may appear in the Security log in the Event Viewer: 

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: computername
Description:
Logon Failure:
Reason: The user has not been granted the requested logon type at this machine
User Name: administrator
Domain: EXAMPLE
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computername
Caller User Name: computername$
Caller Domain: EXAMPLE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5828
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 0


Properties

Article ID: 841188 - Last Review: July 12, 2013 - Revision: 6.1
Applies to
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Keywords: 
kbenv kberrmsg kbprb KB841188

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com