nchondro
asked on
The local policy of this system does not permit you to logon interactively
I cannot logon interactively even with domain administrator account. Can you tell me how can I reset or logon and remove the deny or bypass it. No I'm pretty much lock out from the server. URGENT Please.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If there is absolutely no account (not even a user account) with which you are able to logon, the easiest option (and the one with the fewest risks involved) is to attach another machine (with the proper network settings) to your server and use ntrights to set things straight.
Failing that, you can try to get access to the drive using the Recovery Console and try your luck from there. Here are some possibilities that might work: http://securityadmin.info/faq.asp#logonfailure; I'd still recommend doing it from another machine.
Failing that, you can try to get access to the drive using the Recovery Console and try your luck from there. Here are some possibilities that might work: http://securityadmin.info/faq.asp#logonfailure; I'd still recommend doing it from another machine.
ASKER
We tried doing ntrights from other machine and it says granted successfully but then when we try login, still doesn't work. Dunno what is going on.
What exactly you have to do depends on what you did to lock yourself out.
There are two different possibilities here:
You changed the "Allow local logon settings", and removed some groups that need to have access.
In that case, assuming that your logon name is Administrator, this will give you the permission, so that you can get access again:
ntrights -m \\YourServer -u Administrator +r SeInteractiveLogonRight
The second setting is the "Deny local logon". If you defined users or groups here, then this setting will override any local logon permissions.
If you added, for example, the group "Domain Users" to the "Deny local logon" (which will lock out everyone, since the Administrator is a member of the Domain Users group as well), the following command will reset that again (note the "-r" when working with the Deny as opposed to the "+r" in the Allow):
ntrights -m \\YourServer -u "Domain Users" -r SeDenyInteractiveLogonRigh
As said before, the group/user names to use depend on what you were defining before you found yourself locked out.
There are two different possibilities here:
You changed the "Allow local logon settings", and removed some groups that need to have access.
In that case, assuming that your logon name is Administrator, this will give you the permission, so that you can get access again:
ntrights -m \\YourServer -u Administrator +r SeInteractiveLogonRight
The second setting is the "Deny local logon". If you defined users or groups here, then this setting will override any local logon permissions.
If you added, for example, the group "Domain Users" to the "Deny local logon" (which will lock out everyone, since the Administrator is a member of the Domain Users group as well), the following command will reset that again (note the "-r" when working with the Deny as opposed to the "+r" in the Allow):
ntrights -m \\YourServer -u "Domain Users" -r SeDenyInteractiveLogonRigh
As said before, the group/user names to use depend on what you were defining before you found yourself locked out.
ASKER
we tried both grant the user administrator SeInteractiveLogonRight and revoke the user administrator SeDenyInteractiveLogonRigh
Thanks.
Thanks.
You probably denied some group the administrator is member of the local logon; you need to revoke the Deny for this exact group (or groups).
Hi -- I have the exact same problem. Only one account (Administrator) and no longer able to login to Windows Server 2003. I have used the ERD Commander tool to connect to the server and run the NTRights.exe successfully. It still will not work. I think I locked out the Administrator account when I set up a mail account for it. Does anyone know how I can undo that? I am getting the same error as this person states (Not allowed to login interactively). When I used NTrights to set all the permissions it said it was successful, but I still can't login.
Does anyone know how I can reverse creating the mail account for Administrator? (I set the account up with the SMTP services).
Thanks much.
Does anyone know how I can reverse creating the mail account for Administrator? (I set the account up with the SMTP services).
Thanks much.
This link worked for me -
http://www.itvidya.com/the_local_policy_of_this_system_does_not_permit_you_to_logon_interactively
also http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html
You have to use the computer management from another computer to edit the local user on the computer you are locked out of.
Hope this helps.....
http://www.itvidya.com/the_local_policy_of_this_system_does_not_permit_you_to_logon_interactively
also http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html
You have to use the computer management from another computer to edit the local user on the computer you are locked out of.
Hope this helps.....
ASKER