Solved

Locked out of Windows 2000 Domain Controller!!

Posted on 2003-11-10
4
1,382 Views
Last Modified: 2010-04-13
I have a HUGE problem.  I can't believe I did this, but I was changing some group policies, in order to allow certain groups of users to log in via terminal services.  I was successful in this, however those are the ONLY users that can now "Log in Locally" to the domain controller.  The Administrator account is unable to log into that computer!  I am only able to login to the domain controller using some non-privileged accounts.  These are accounts which do not have permission to change any security policies or add the administrator to the group of users currently able to log in.

Specifically, what I did was follow "Method 1" of Microsoft's Article: 260370 "How to Apply Group Policy Objects to Terminal Services Servers".  http://support.microsoft.com/?kbid=260370  This article had me create a new OU, and move my server from the "Domain Controllers" OU to one that I created.  Then, add group(s) that could log on locally.  It did not say, nor did I specifically add the "Administrators" group.

If anyone has ANY suggestions please let me know.  This is one of the most important servers in my network.  I still can't believe what I did!  Thanks for ANY help at all.
0
Comment
Question by:barthalamu
  • 2
4 Comments
 

Author Comment

by:barthalamu
Comment Utility
Might have found the solution in the Windows 2000 Resource Kit...
0
 
LVL 5

Accepted Solution

by:
zefiro earned 500 total points
Comment Utility
First question. . .do you have another domain controller? (one that you didn't move to the Terminal Server OU)

If so, log on to that, go the Active DIrectory Users and COmputers and either move the server backed to the domain controller OU or give admins log on locally rights.

Go to another Windows 2000 Server. Log in as an Administrator-->Go to Start-->Run-->Type 'dsa.msc'-->Enter    

You may be able to get into the AD Users and Computers console.  If so, move the server back to the domain controller OU or give admins log on locally rights.

If the above do not work, go to another Windows 2000 Server, (this may also work on W2K Professional) run Adminpak.msi from the server i386 directory to install


To install Windows 2000 Administration Tools on a local computer:
  1.. Open the I386 folder on the appropriate Windows 2000 Server CD-ROM.
The latest version of the Windows 2000 Administration Tools is on the latest
Windows 2000 service pack CD-ROM.
  2.. Double-click the Adminpak.msi file.
  3.. Click Next, and then click Finish.
The Adminpak.msi file installs the Active Directory administrative tools,
and other administrative tools, including the Terminal Services Client and
Cluster Administrator.

Configure the Windows 2000 Professional Workstation
To use the Windows 2000 Administration Tools to remotely run administrative
tasks on a DC, you must first join the computer to the domain and have a
valid user name and password with permissions to create a computer account:
  1.. Start the System tool in Control Panel.
  2.. On the Network Identification tab, click Properties.
  3.. Under Member of, click Domain, type the name of the domain you want to
join, and then click OK.

  You are prompted to provide a user name and user password to join the
computer to the domain.
  4.. Click OK to close the System Properties dialog box.

  You are prompted to restart your computer to apply your changes.

Use the Windows 2000 Administration Tools
To access the server administrative tools after you install Windows 2000
Administration Tools and configure the Windows 2000 Professional
workstation:
  1.. Log on to Windows 2000 Professional workstation by using domain
administrator credentials.
  2.. Click Start, point to Programs, point to Administrative Tools, and
then click any of the following server administrative tools that are
included in Windows 2000 Administration Tools:
    ---Active Directory Users and Computers


Finally, a small lecture--Terminal Services in Application Mode should not be running on a Domain COntroller.  Although Microsoft can be a little wishy-washy on what they recommend, I don't know of any real-world techies out there who would say it is a good idea.  As a general rule, you should treat your Terminal Server as if it were the most troublesome workstation on your network.  It should be absolutely clean, ONLY running what the users need to run.  Second, if you have more than one server, you should have more than one domain controller. . .and, finally, when playing with GPO or rights of any kind, always give yourself rights first. . .just in case. . .END OF ANNOYING LECTURE

Hope something here helps, if not, the next thing to try would be to install a new W2000 Server along with Active Directory, make it a DC then go in. . .or else, go to your backup tapes.
0
 
LVL 6

Expert Comment

by:Casca1
Comment Utility
Have you tried the local administrator account? That one should still be able to login. However, that account, unless you created the GPO on the local machine, will be unable to change the GPO's.
0
 

Author Comment

by:barthalamu
Comment Utility
Thank you so much zefiro.  I was able to get to the AD Users and Computers console by using "dsa.msc".  I certainly did learn a lesson!  Thanks.  Lecture was very appropriate.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now