When you try to log on to the domain or your local computer, you may receive the following error message:
The local policy of this system does not permit you to logon interactively
This issue may occur if the "Deny logon locally" policy is set on your computer.
To resolve this issue, create an organizational unit for computers that you want to exclude from the "Deny logon locally" policy, and then grant the "Log on locally" policy to individual users or groups in the organizational unit:
- Click Start, point to
Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the domain name, point to New, and then click Organizational Unit.
- Type the name of the new Organizational Unit, and then click OK. For example, you might type
- Put the computers to which you want to grant the Logon Locally right in the Organizational Unit that you created in step 3:
- Click the container that contains the computer or computers that you want to move.
- Select the computers, right-click the computers, and then click Move.
- In the Move dialog box, click the organizational unit that you created in step 3, and then click
- Right-click the organizational unit, and then click
- Click the Group Policy tab, click
New, type the Group Policy Object name, and then click
- Under Computer Configuration, expand
Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
- In the right pane of the Group Policydialog box, right-click Log on locally, and then click
- Click to select the Define these policy settings check box, click Add, and then click
- Click those users to whom you want to grant the "Log on locally" policy, click Add, and then click OKtwo times. To select multiple users or groups, press and hold the CTRL key down, and then click individual objects.
- Click OK to close the Security Policy Setting dialog box.
Article ID: 285793 - Last Review: Dec 16, 2009 - Revision: 1