Article ID: 276590
Article Last Modified on 1/29/2007
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q276590
SYMPTOMS
When you add a group, such as, Domain Users, Everyone, or Authenticated Users, to the "Deny Logon Locally" user right, users that are members of those groups can no longer log on to certain computers. When a user tries to log on to the computer, the user may receive the following error message:
The administrator of your system may find this behavior to be unexpected.
CAUSE
This behavior may occur because the user (such as, the administrator, who is a member of a group that has been explicitly granted the "Logon Locally" user right) may also be a member of the preceding groups. Any of the preceding groups may deny users access to the computer in which case a policy that sets the denial of user rights takes precedence over a policy that enables user rights.
RESOLUTION
To work around this behavior, you can access the computer that is denying a user access by means of an administrative account situated on another client. Then you can use the Ntrights.exe program from the Microsoft Windows 2000 Resource Kit to remove the user from the "Deny Logon Locally" user right.
To perform this procedure, use the following (case-sensitive) syntax:
ntrights -m \\computer -u group or user to remove
-r SeDenyInteractiveLogonRight
STATUS
This behavior is by design.
MORE INFORMATION
Most of the preceding problems occur when the Everyone group has been removed from the user right. You can use the Ntrights utility to add user rights.
For additional information about how to add a group back to the user right, click the article number below to view the article in the Microsoft Knowledge Base:
279664 How to Set Logon User Rights with the Ntrights.exe Utility
Keywords: kberrmsg kbprb KB276590