Locked out of Windows 2000 Domain Controller!!

I have a HUGE problem.  I can't believe I did this, but I was changing some group policies, in order to allow certain groups of users to log in via terminal services.  I was successful in this, however those are the ONLY users that can now "Log in Locally" to the domain controller.  The Administrator account is unable to log into that computer!  I am only able to login to the domain controller using some non-privileged accounts.  These are accounts which do not have permission to change any security policies or add the administrator to the group of users currently able to log in.

Specifically, what I did was follow "Method 1" of Microsoft's Article: 260370 "How to Apply Group Policy Objects to Terminal Services Servers".  http://support.microsoft.com/?kbid=260370  This article had me create a new OU, and move my server from the "Domain Controllers" OU to one that I created.  Then, add group(s) that could log on locally.  It did not say, nor did I specifically add the "Administrators" group.

If anyone has ANY suggestions please let me know.  This is one of the most important servers in my network.  I still can't believe what I did!  Thanks for ANY help at all.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

barthalamuAuthor Commented:
Might have found the solution in the Windows 2000 Resource Kit...
First question. . .do you have another domain controller? (one that you didn't move to the Terminal Server OU)

If so, log on to that, go the Active DIrectory Users and COmputers and either move the server backed to the domain controller OU or give admins log on locally rights.

Go to another Windows 2000 Server. Log in as an Administrator-->Go to Start-->Run-->Type 'dsa.msc'-->Enter    

You may be able to get into the AD Users and Computers console.  If so, move the server back to the domain controller OU or give admins log on locally rights.

If the above do not work, go to another Windows 2000 Server, (this may also work on W2K Professional) run Adminpak.msi from the server i386 directory to install

To install Windows 2000 Administration Tools on a local computer:
  1.. Open the I386 folder on the appropriate Windows 2000 Server CD-ROM.
The latest version of the Windows 2000 Administration Tools is on the latest
Windows 2000 service pack CD-ROM.
  2.. Double-click the Adminpak.msi file.
  3.. Click Next, and then click Finish.
The Adminpak.msi file installs the Active Directory administrative tools,
and other administrative tools, including the Terminal Services Client and
Cluster Administrator.

Configure the Windows 2000 Professional Workstation
To use the Windows 2000 Administration Tools to remotely run administrative
tasks on a DC, you must first join the computer to the domain and have a
valid user name and password with permissions to create a computer account:
  1.. Start the System tool in Control Panel.
  2.. On the Network Identification tab, click Properties.
  3.. Under Member of, click Domain, type the name of the domain you want to
join, and then click OK.

  You are prompted to provide a user name and user password to join the
computer to the domain.
  4.. Click OK to close the System Properties dialog box.

  You are prompted to restart your computer to apply your changes.

Use the Windows 2000 Administration Tools
To access the server administrative tools after you install Windows 2000
Administration Tools and configure the Windows 2000 Professional
  1.. Log on to Windows 2000 Professional workstation by using domain
administrator credentials.
  2.. Click Start, point to Programs, point to Administrative Tools, and
then click any of the following server administrative tools that are
included in Windows 2000 Administration Tools:
    ---Active Directory Users and Computers

Finally, a small lecture--Terminal Services in Application Mode should not be running on a Domain COntroller.  Although Microsoft can be a little wishy-washy on what they recommend, I don't know of any real-world techies out there who would say it is a good idea.  As a general rule, you should treat your Terminal Server as if it were the most troublesome workstation on your network.  It should be absolutely clean, ONLY running what the users need to run.  Second, if you have more than one server, you should have more than one domain controller. . .and, finally, when playing with GPO or rights of any kind, always give yourself rights first. . .just in case. . .END OF ANNOYING LECTURE

Hope something here helps, if not, the next thing to try would be to install a new W2000 Server along with Active Directory, make it a DC then go in. . .or else, go to your backup tapes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Have you tried the local administrator account? That one should still be able to login. However, that account, unless you created the GPO on the local machine, will be unable to change the GPO's.
barthalamuAuthor Commented:
Thank you so much zefiro.  I was able to get to the AD Users and Computers console by using "dsa.msc".  I certainly did learn a lesson!  Thanks.  Lecture was very appropriate.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.