Hello, I've setup a domain with roaming profiles for the users. All is working fine, except that domain users cannot login on the Domain Controller. The only solution I found so far is to make the users member of the domain admins-group, but that is not a good idea, as the users are then able to mess with the domain settings. is there another way that domain users can login in a restricted way on the DC? Johan

I don't know why anybody would want to allow users to login locally on a server. I'm hoping this is just a test environment because doing so in the "real world" is asking for trouble. Check the security policies. I'm not sure which one offhand but if you look through, you'll find the setting for allowing users to log on locally. That's where you choose who to allow to log onto the console. It's likely in the Local Security Policy on the server. If not there, check the Domain level GPO.

The reason that the users can not log into a DC locally is a very good one. If you allow them to log on they have access to a number of things you don't want them to have access. Why in the world would you even consider letting them log in locally? If you don't have enough computers for them to log in from their own machines then you don't need a domain in the first place.

Ill echo the above, unless you mean through a Terminal Session?

Not even a terminal session is a good justification. Users should not be logging on to a domain controller in any fashion interactively. Do you really want your DC to go down because over something like some idiot user surfed a pr0n site with a malicious Active X or Java script?! What if the DC were breached in such a manner, and hackers then could get all the user accounts, etc.? I know extra computers can be costly, but what will it cost for you or a contractor to fix a broken DC and possibly a breached network in labor and any loss of productivity caused in the process? "...but in my defense, it was dark, I was drunk, and it was delicious!"