«

I tried to add a user in AD yesterday, and when I added a
new user that was only a member of the domain users group
it created the object fine but when I logged off and try
to logon as that user it gave me the message "local system
policy prevents you from logging in interactivly", I know
that according to the MS 70-215 test there answer to this
situation is "give the user rights to log on locally". I
do not want to do this. I want them to be able to log on
to the domain. Next, I copied my account, the
administrator, I was able to log on as them just fine to
the domain, but now they are an administrator. That is
not good. I need to be able to add them as a domain user
only. How can this be done?

Sounds to me like you created this user account and are trying to login
locally on a Domain Controller---thus your problem. Users cannot (by
default) login locally to a DC. If this is your situation, you will have to
do one of the two things you mentioned: give them the right to logon
locally or make them a member of a group that already has this right.

Best,
Will
www.mcseworld.com



"MCP" <> wrote in message
news:0ae601c3bb2e$b6a98ac0$...
> I tried to add a user in AD yesterday, and when I added a
> new user that was only a member of the domain users group
> it created the object fine but when I logged off and try
> to logon as that user it gave me the message "local system
> policy prevents you from logging in interactivly", I know
> that according to the MS 70-215 test there answer to this
> situation is "give the user rights to log on locally". I
> do not want to do this. I want them to be able to log on
> to the domain. Next, I copied my account, the
> administrator, I was able to log on as them just fine to
> the domain, but now they are an administrator. That is
> not good. I need to be able to add them as a domain user
> only. How can this be done?

>-----Original Message-----
>Sounds to me like you created this user account and are
trying to login
>locally on a Domain Controller---thus your problem.

I'm not convinced that logging that user account onto a DC
is the cause of this error.

I won't give away the answer (where's the fun in that?)
but: Isn't there a Policy that can be applied that will
give that exact error message when you try to log onto a
workstation? Do the words "Deny Logon Locally" sound
familiar? Anyone???

That's what you see when a "normal" domain user try to logon to a Domain
Controller.


"Marko" <> wrote in message
news:da5301c3bb3f$d4ffe620$...
>
> >-----Original Message-----
> >Sounds to me like you created this user account and are
> trying to login
> >locally on a Domain Controller---thus your problem.
>
> I'm not convinced that logging that user account onto a DC
> is the cause of this error.
>
> I won't give away the answer (where's the fun in that?)
> but: Isn't there a Policy that can be applied that will
> give that exact error message when you try to log onto a
> workstation? Do the words "Deny Logon Locally" sound
> familiar? Anyone???

It will work if u select "log on locally" thats all they
can do..they cannot change anything on the DC..they dont
have any administrative rights... they will still be able
to log on to the domain...they will still be in the
domain users group. i have tried it and succeeded...wen u
log on as a the user trying changing the time and date or
checking the local area network settings and click on
TCP/IP Protcol..it will tell u, u dont have the
sufficient rights to change them..

>-----Original Message-----
>I tried to add a user in AD yesterday, and when I added
a
>new user that was only a member of the domain users
group
>it created the object fine but when I logged off and try
>to logon as that user it gave me the message "local
system
>policy prevents you from logging in interactivly", I
know
>that according to the MS 70-215 test there answer to
this
>situation is "give the user rights to log on locally".
I
>do not want to do this. I want them to be able to log
on
>to the domain. Next, I copied my account, the
>administrator, I was able to log on as them just fine to
>the domain, but now they are an administrator. That is
>not good. I need to be able to add them as a domain
user
>only. How can this be done?
>.
>