We have an Active Directory domain MAIN and its child domain CHILD. The domain controller for CHILD is CHILD1, which acts as a gateway to MAIN. The CHILD domain computers are not always booted, including the CHILD1 domain controller. Occasionally, when you logon as CHILDadministrator to CHILD1 or any of the computers in that domain, you receive a message box "Error Message: The Local Policy of this system does not permit you to logon interactively." You can logon as MAINadministrator, but not even at the local computer -- there's no other choice in the dropdown.
Can you explain this error? Can you suggest how to avoid this altogether and how to repair it when it happens?
It sounds like an issue with machine accounts. Domain member computers authenticate to the domain when they boot. The computer password is changed periodically and automatically. If computers aren't in touch with their DC frequently, the passwords get out of synch. You may be able to fix this by removing the computer and then rejoining it to the domain. There is also a security option setting in group policy that will prevent the computer password from changing. The problems at the DC of the child domain may occur because of the issues with replication. DCs should never be off the network for any significant amount of time.
Start your research there -- with the DC issue. You might end up having to redo the domain to fix the issue. And then, remember that DCs should not be out of touch with other DCs or other domains in their forest.
This was first published in September 2004