Locked out of Windows 2000 Domain Controller!!

Posted on 2003-11-10
Last Modified: 2010-04-13
I have a HUGE problem.  I can't believe I did this, but I was changing some group policies, in order to allow certain groups of users to log in via terminal services.  I was successful in this, however those are the ONLY users that can now "Log in Locally" to the domain controller.  The Administrator account is unable to log into that computer!  I am only able to login to the domain controller using some non-privileged accounts.  These are accounts which do not have permission to change any security policies or add the administrator to the group of users currently able to log in.

Specifically, what I did was follow "Method 1" of Microsoft's Article: 260370 "How to Apply Group Policy Objects to Terminal Services Servers".  This article had me create a new OU, and move my server from the "Domain Controllers" OU to one that I created.  Then, add group(s) that could log on locally.  It did not say, nor did I specifically add the "Administrators" group.

If anyone has ANY suggestions please let me know.  This is one of the most important servers in my network.  I still can't believe what I did!  Thanks for ANY help at all.
Question by:barthalamu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Author Comment

ID: 9718989
Might have found the solution in the Windows 2000 Resource Kit...

Accepted Solution

zefiro earned 500 total points
ID: 9719207
First question. . .do you have another domain controller? (one that you didn't move to the Terminal Server OU)

If so, log on to that, go the Active DIrectory Users and COmputers and either move the server backed to the domain controller OU or give admins log on locally rights.

Go to another Windows 2000 Server. Log in as an Administrator-->Go to Start-->Run-->Type 'dsa.msc'-->Enter    

You may be able to get into the AD Users and Computers console.  If so, move the server back to the domain controller OU or give admins log on locally rights.

If the above do not work, go to another Windows 2000 Server, (this may also work on W2K Professional) run Adminpak.msi from the server i386 directory to install

To install Windows 2000 Administration Tools on a local computer:
  1.. Open the I386 folder on the appropriate Windows 2000 Server CD-ROM.
The latest version of the Windows 2000 Administration Tools is on the latest
Windows 2000 service pack CD-ROM.
  2.. Double-click the Adminpak.msi file.
  3.. Click Next, and then click Finish.
The Adminpak.msi file installs the Active Directory administrative tools,
and other administrative tools, including the Terminal Services Client and
Cluster Administrator.

Configure the Windows 2000 Professional Workstation
To use the Windows 2000 Administration Tools to remotely run administrative
tasks on a DC, you must first join the computer to the domain and have a
valid user name and password with permissions to create a computer account:
  1.. Start the System tool in Control Panel.
  2.. On the Network Identification tab, click Properties.
  3.. Under Member of, click Domain, type the name of the domain you want to
join, and then click OK.

  You are prompted to provide a user name and user password to join the
computer to the domain.
  4.. Click OK to close the System Properties dialog box.

  You are prompted to restart your computer to apply your changes.

Use the Windows 2000 Administration Tools
To access the server administrative tools after you install Windows 2000
Administration Tools and configure the Windows 2000 Professional
  1.. Log on to Windows 2000 Professional workstation by using domain
administrator credentials.
  2.. Click Start, point to Programs, point to Administrative Tools, and
then click any of the following server administrative tools that are
included in Windows 2000 Administration Tools:
    ---Active Directory Users and Computers

Finally, a small lecture--Terminal Services in Application Mode should not be running on a Domain COntroller.  Although Microsoft can be a little wishy-washy on what they recommend, I don't know of any real-world techies out there who would say it is a good idea.  As a general rule, you should treat your Terminal Server as if it were the most troublesome workstation on your network.  It should be absolutely clean, ONLY running what the users need to run.  Second, if you have more than one server, you should have more than one domain controller. . .and, finally, when playing with GPO or rights of any kind, always give yourself rights first. . .just in case. . .END OF ANNOYING LECTURE

Hope something here helps, if not, the next thing to try would be to install a new W2000 Server along with Active Directory, make it a DC then go in. . .or else, go to your backup tapes.

Expert Comment

ID: 9722233
Have you tried the local administrator account? That one should still be able to login. However, that account, unless you created the GPO on the local machine, will be unable to change the GPO's.

Author Comment

ID: 9723618
Thank you so much zefiro.  I was able to get to the AD Users and Computers console by using "dsa.msc".  I certainly did learn a lesson!  Thanks.  Lecture was very appropriate.

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Adults who share images on social media aren’t the only ones who need to worry about their privacy. Our culture’s tendency to share every move and celebration affects the privacy of our children, too.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question