When you try to use the built-in Administrator account or an account that is a member of the Administrators group to log on locally to a computer that is running Microsoft Windows Small Business Server (Windows SBS) 2003, you receive the following error message:
The local policy of this system does not permit you to logon interactively.
However, if you try to log on to the Windows SBS computer from a remote workstation or by using a Remote Desktop Connection session, you can log on successfully.
To resolve this issue, remove the Administrator account from the Remote Operators group and from the Domain Power Users group. Also, remove any group that contains the Administrator account from the Remote Operators group and the Domain Power Users group.
You can make this change by doing one of the following:
Use a Remote Desktop connection to connect to the Windows SBS computer.
Install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional.
To remove members from the Remote Operators group and the Domain Power Users group, follow these steps:
After you connect to the computer that is running Windows SBS by using a Remote Desktop connection or by using the Windows Server Administration Tools Pack, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand the domain object, expand MyBusiness, and then click Security Groups. Note In this example screen shot, the domain object is "contoso.local." Your domain object will be your_domain.local, where your_domain is the name of your domain.
Double-click Remote Operators, and then click the Members tab.
Note The Domain Power Users group always appears in the Members list. Although this screen shot doesn’t show other members, your screen may show other groups or user accounts in the list. When you remove groups or user accounts from the Members list, do not remove the Domain Power Users group.
Click the user account or the group that you want to remove, click Remove, and then click Yes to confirm the removal.
Repeat step 4 for every account or group that you want to remove, and when you are finished, click OK.
In the Security Groups list, double-click Domain Power Users.
Click the Members tab.
Note Only the Power User Template and user accounts that the Power User Template is applied to should appear in the Members list. Do not remove the Power User Template or the user accounts that have the Power User Template.
IMPORTANT: When you apply the Power Users Template to a user account, that user account is specifically denied access to log on to the Windows Small Business Server 2003 computer from the local console. Therefore, don't apply this template to an Administrator account. For more information about how to apply templates to user accounts, see the "Manage users and groups" topic in Windows Small Business Server Help and Information.
Click a group or account that you want to remove, click Remove, and then click Yes to confirm the removal. In particular, make sure that you remove the Administrator account or any group that might contain the Administrator account.
Note Sometimes, the Administrator account may become a member of the Remote Operators group or the Domain Power Users group throughgroup nesting. For example, the built-in Administrator account is automatically a member of the Mobile Users group. Therefore, if you add the Mobile Users group as a member of the Remote Operators group, the Administrator account automatically becomes a member of the Remote Operators group because the Mobile Users group is nested in the Remote Operators group.
By default, the built-in Administrator in Windows Small Business Server is a member of the following groups:
Group Policy Creator Owners
To see what groups an administrator account is a member of, follow these steps:
In Active Directory Users and Computers, click Users.
Note Make sure that you click the Users folder in the domain container and not in the MyBusiness container.
Click the Member Of tab.
Double-click the groups that are listed on the Member Of tab to open their properties. If the group membership settings on the server are very different from the default settings, make sure that the groups that contain the user account are not nested in other groups.
When you are finished changing the group membership, click OK.
In Windows Small Business Server 2003, the "Deny log on locally" policy setting is applied to the Remote Operators group in the Default Domain Controllers Group Policy Object. This policy setting also applies to the Domain Power Users group because the Domain Power Users group is a member of the Remote Operators group. Because a Deny permission overrides an Allow permission, this policy setting prevents users from logging on to domain controllers in the domain, even if the "Allow log on locally" policy applies to those same users.
To grant a user rights to to perform administrative tasks over a Remote Desktop connection to the Windows Small Business Server 2003 computer, apply the Power Users Template to that user account. You can apply this template when you create the user account or by running the Change User Permissions Wizard.
When this issue occurs, an event that resembles the following may appear in the Security log in the Event Viewer:
Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 534 Date: date Time: time User: NT AUTHORITY\SYSTEM Computer: computername Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: administrator Domain: EXAMPLE Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: computername Caller User Name: computername$ Caller Domain: EXAMPLE Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5828 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0