Tuesday, June 26, 2007

The local policy of this system does not permit you to logon interactively on Citrix Metaframe Server after adding Windows 2003 DC to domain

Today we added our first Windows 2003 DC to Windows 2000 domain. After the AD replication completed successfully, users who used to login to the domain via citrix started receiving a message upon logging into the server:

The local policy of this system does not permit you to logon interactively

After digging through a lot of blog posts and MS Knowledgebase article everything pointed to the Local Security settings of the Citrix Machine not having appropriate permissions. Apparently this was not a problem before in Windows 2000 ad.

So I went into AD, threw the citrix server in it's own OU. Created a new GPO. Under GPO setttings

Go to
Computer Configuration => Windows Settings => Security Settings =>Local Policies=>User Rights Assignment

Under User Rights Assignment Look for following setting:

If Using Win2k3 - Allow Login to Terminal Server
If Using Win2K - Log on Locally

Double click on above policy and assign the appropriate group permission

After you have assigned the permission, make sure that the group that you assigned the permission to has the rights to Read and Apply Group Policy for that GPO

If you do the first and not the second the problem will still exist.

Also make sure to refresh the Group policy by going to DOS Prompt and giving following commands

If Win2K : secedit /refreshpolicy machine_policy /force
If Win2k3: gpupdate /force

Reboot the Terminal or Citrix Server.

this resolved the problem for me.

No comments: