I'm helping a friend with a SBS 2003 to Exchange 2013 / Server 2012 DC migration. After mailboxes were moved to Exchange 2010 and Exchange 2003 was uninstalled from SBS, we found we were unable to log into either of the two Domain Controllers.
The issue was encountered following a reboot of the Servers. The SBS 2003 Server read "The local policy of this system does not permit you to logon interactively..." and 2012 read "The sign-in method you're using is not allowed.". It didn't take long to determine this could be a policy issue. We logged onto the Exchange Server and installed the Group Policy Management console. We reviewed the Default Domain Controller Policy and verified "Administrators" and "Domain Admins" were included in "Allow log on locally". (Location: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment) We also verified the same accounts were not added to the "Deny log on locally" setting.
Still not making sense, we next checked the group memberships of the accounts in Active Directory. None of the accounts specified in the "Deny log on locally" setting were applied to the Administrators in the "Allowed" setting. (Here is a link for where we are going: http://support.microsoft.com/kb/841188)
Knowing that this issue is most likely caused by a group membership, we successfully logged onto the 2012 DC using Remote Desktop. Once logged in, we ran GPRESULT /R. We saw immediately that Administrator was a member of the "SBS Remote Operators" group. (SBS Remote Operators is denied logging on locally.) How come this doesn't show in Active Directory for this account under the "Member Of" tab? What my friend found was that Domain Users was added to Power Users, then Power Users were added to Remote Operators. Of course the Administrator accounts are also Domain Users, but I didn't think of the Inception concept with regards to this error. Why this happened after reboots immediately following the removal of an Exchange 2003 Server, I've already forgotten about the question...moving on.
