Locked out of Windows 2000 Domain Controller!!

Posted on 2003-11-10
Medium Priority
Last Modified: 2010-04-13
I have a HUGE problem.  I can't believe I did this, but I was changing some group policies, in order to allow certain groups of users to log in via terminal services.  I was successful in this, however those are the ONLY users that can now "Log in Locally" to the domain controller.  The Administrator account is unable to log into that computer!  I am only able to login to the domain controller using some non-privileged accounts.  These are accounts which do not have permission to change any security policies or add the administrator to the group of users currently able to log in.

Specifically, what I did was follow "Method 1" of Microsoft's Article: 260370 "How to Apply Group Policy Objects to Terminal Services Servers".  http://support.microsoft.com/?kbid=260370  This article had me create a new OU, and move my server from the "Domain Controllers" OU to one that I created.  Then, add group(s) that could log on locally.  It did not say, nor did I specifically add the "Administrators" group.

If anyone has ANY suggestions please let me know.  This is one of the most important servers in my network.  I still can't believe what I did!  Thanks for ANY help at all.
Question by:barthalamu
  • 2

Author Comment

ID: 9718989
Might have found the solution in the Windows 2000 Resource Kit...

Accepted Solution

zefiro earned 2000 total points
ID: 9719207
First question. . .do you have another domain controller? (one that you didn't move to the Terminal Server OU)

If so, log on to that, go the Active DIrectory Users and COmputers and either move the server backed to the domain controller OU or give admins log on locally rights.

Go to another Windows 2000 Server. Log in as an Administrator-->Go to Start-->Run-->Type 'dsa.msc'-->Enter    

You may be able to get into the AD Users and Computers console.  If so, move the server back to the domain controller OU or give admins log on locally rights.

If the above do not work, go to another Windows 2000 Server, (this may also work on W2K Professional) run Adminpak.msi from the server i386 directory to install

To install Windows 2000 Administration Tools on a local computer:
  1.. Open the I386 folder on the appropriate Windows 2000 Server CD-ROM.
The latest version of the Windows 2000 Administration Tools is on the latest
Windows 2000 service pack CD-ROM.
  2.. Double-click the Adminpak.msi file.
  3.. Click Next, and then click Finish.
The Adminpak.msi file installs the Active Directory administrative tools,
and other administrative tools, including the Terminal Services Client and
Cluster Administrator.

Configure the Windows 2000 Professional Workstation
To use the Windows 2000 Administration Tools to remotely run administrative
tasks on a DC, you must first join the computer to the domain and have a
valid user name and password with permissions to create a computer account:
  1.. Start the System tool in Control Panel.
  2.. On the Network Identification tab, click Properties.
  3.. Under Member of, click Domain, type the name of the domain you want to
join, and then click OK.

  You are prompted to provide a user name and user password to join the
computer to the domain.
  4.. Click OK to close the System Properties dialog box.

  You are prompted to restart your computer to apply your changes.

Use the Windows 2000 Administration Tools
To access the server administrative tools after you install Windows 2000
Administration Tools and configure the Windows 2000 Professional
  1.. Log on to Windows 2000 Professional workstation by using domain
administrator credentials.
  2.. Click Start, point to Programs, point to Administrative Tools, and
then click any of the following server administrative tools that are
included in Windows 2000 Administration Tools:
    ---Active Directory Users and Computers

Finally, a small lecture--Terminal Services in Application Mode should not be running on a Domain COntroller.  Although Microsoft can be a little wishy-washy on what they recommend, I don't know of any real-world techies out there who would say it is a good idea.  As a general rule, you should treat your Terminal Server as if it were the most troublesome workstation on your network.  It should be absolutely clean, ONLY running what the users need to run.  Second, if you have more than one server, you should have more than one domain controller. . .and, finally, when playing with GPO or rights of any kind, always give yourself rights first. . .just in case. . .END OF ANNOYING LECTURE

Hope something here helps, if not, the next thing to try would be to install a new W2000 Server along with Active Directory, make it a DC then go in. . .or else, go to your backup tapes.

Expert Comment

ID: 9722233
Have you tried the local administrator account? That one should still be able to login. However, that account, unless you created the GPO on the local machine, will be unable to change the GPO's.

Author Comment

ID: 9723618
Thank you so much zefiro.  I was able to get to the AD Users and Computers console by using "dsa.msc".  I certainly did learn a lesson!  Thanks.  Lecture was very appropriate.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In the below post we have mentioned the best hosting type for startups. Also, check out some of the superlative web hosting companies that are proposing affordable web hosting solutions to host your startup website.
Loops Section Overview
Screencast - Getting to Know the Pipeline

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question