We are getting the following error when trying to log on to DeltaV with our operator accounts on our development system PRO stations: "Logon Failure: the user has not been granted the requested logon type at this computer." When attempting to log on to windows with these accounts we also get the following: "You cannot log on because the logon method you are using is not allowed on this computer."
These accounts are members of the domain just like all administrator accounts and are configured in DeltaV as a basic operator. We are able to log on successfully to the PROPLUS using these accounts both into windows and into DeltaV. We cannot on any of the PRO stations.
What could be causing this issue? Is there some sort of setting on each work station that grants log on rights to each account? Why would these accounts be able to log on to the PROPLUS but not the other workstations that are on the same domain?
In reply to Steven Estes:
I think you may have stated the problem:
"One discrepancy is that I am seeing Administrators, Backup Operators, and Guests under "Allow Log on Locally" instead of Admins, backup operators, and users."
Notice that Users does not appear in the list. They will not be allowed interactive logon.
Now, go to your domain controller and determine which policy is controlling this setting, since you can't edit it on the domain member.
Run GPMC.msc. You can use the group policy modeling feature to determine which policies are inacted based on computer and/or user. The result should help you pinpoint which policies to focus on. Search each policy to determine which one(s) are writing the 'Allow Log On Locally' setting (which is a computer policy). You may have multiple policies fighting each other.
Allow log on Locally: This logon right determines which users can interactively log on to this computer. Logons initiated by pressing CTRL+ALT+DEL sequence on the attached keyboard requires the user to have this logon right. Additionally this logon right may be required by some service or administrative applications that can log on users.
technet.microsoft.com/.../cc756809(v=ws.10).aspx
Controlling who can log into the computer or the domain at a computer is governed by the existence and proper membership/rights of the account at either the computer or domain, not only by the Allow Log on Locally policy. Domain accounts can (and should) be granted the right to log on locally provided they will require interactive sessions (as is the case for the DeltaV Pro station). The term 'locally' refers to the session type, not where the account is being authenticated. This is distinguished from the Remote Interactive logon type which means access via either a computer or domain account using a remote (RDP) session.
Arguably, Microsoft's terminology can be confusing. 'Allow log on locally' should probably read 'Allow log on interactive console' but I suspect it was originally named before terminal services, secondary logon, etc. existed, so there was only one kind of interactive logon.