Can't login to Win2000

Posted on 2004-03-21
Last Modified: 2010-04-12
Hi experts

Previously I was able to login to my Windows2000 using my Administrator id. But carelessly, I went to Local Security Settings in Administrative Tools and made some changes which I am not quite sure of.

I believe I made some changes in Local Policies -> User Rights Assignment

and the changes I made is

Deny logon locally --> I put my Administrator id there

and now I am not able to login to my Win2K with the error message such as "Local security/policy do not allow you to access this computer. I forget the exact error message but kinda like it.

I have the ERD Commander so I am able to go to see my files. So can you guys advise me or give me any idea how to changed back the setting so I can access my Win2K normally again ?

Using the ERD commander, I can access the Regedit eventhough on HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE, but I have no idea which one that I need to change if there is.

Thanks all
Question by:joris_navius
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
LVL 16

Expert Comment

ID: 10647173
There is nothing in the registry you can do to fix this.

You need to get another machine and connect to yours from it.

Use your administrator logon to make a connection and then use the "manage my computer" snapin to connect to to your machine and create a new administrator account. Log on with that that and reverse what you did.




Expert Comment

ID: 10647318
Now you know that the "Deny logon locally" will prohibit a user from logging on directly at the computer's keyboard.
The easiest way to fix it is to connect to your PC from another PC and undo the change you've made (from  computer mangement > action > connect to another computer).

LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 10647581
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Expert Comment

ID: 10647864
you have to reset all policies on win2000, to do this enter the harddisk and go to winnt--->system32------>config
and delete "SAM" file

remember it will reset all security policies and delete all users accept administrator and guest. then give administrator in username field and login with blank password field.
LVL 16

Expert Comment

ID: 10648006
do this only as a total last resort, it will fry all your permissions, you will have to take control of everything and you will lose anything you have encypted with certificates - probably permanently!

You may have to rebuild your machine anyway



Author Comment

ID: 10709726
Hi Mahabat

Tried to go to the config folder but there is not  SAM file there. What should I do next ? I was not able to connect to my PC from other computer. Mine using win2K and the other computer is using WinXP. Is it possible to connect it using that setting ? Or should I connect it using the same Win2K also ?

What if I install again my Win2K, will all the setting or my application in Win2K be replaced or purged ? How to make all the applications setting be available again after I re-install the Win2K

Please advise.

LVL 16

Accepted Solution

JamesDS earned 250 total points
ID: 10710968

If you re-install, you will lose all of your applications and settings. Some of your settings can be preserved, but you will have to re-install everything from scratch.

Windows 2000 uses a SAM file and it is in the %WINDIR%\SYSTEM32\CONFIG directory. It may be hidden, but it is there and will be accessible by the ERD commander.

It makes no difference if your machine is W2k and the other is WXP. You must connect them together on the same IP SUBNET:

MACHINE1 W2k IP:, Subnet

Make sure you can oing them before you proceed

Then from MACHINE2 WXP enter the following at the command line:

Net use \\\ipc$ * /user:\Administrator

It will ask you for your password, which you can enter now.

Then from the command line run MMC.EXE, select add/remove snapin and add the "Group Policy" snapin. Use the Group Policy Wizard to enter the the IP address of MACHINE1 W2k (

Use the Group Policy snapin to undo what you did in the first place



Author Comment

ID: 10710998
Hi JamesDS

Thanks for your detail information. I will try this and will let you know the result.

Expert Comment

ID: 10711341
Hi Joris Navius

Boot ur PC from any bootable cd and then goto the path "winnt\SYSTEM32\CONFIG "
then u can access to the win2k and then u can connect the pc to another pc.
First boot the pc from any bootable cd and then go to that directory and delete SAM file
clear ?

Author Comment

ID: 10711617
Hi Mahabat

Sorry i am not so clear about it.
Go to the path "winnt\SYSTEM32\CONFIG" then i can access to win2k and then i can connect the pc to another pc.
can you explain that portion ? Am not so clear.

For SAM file, I will try to delete it using ERD commander.

Author Comment

ID: 11538706
Hi all
Sorry for the late reply

I did not manage to do as what Jamesd told me. At the end, I reinstall everything.
But I think JamesD solution should work in some cases. In that case please give the points to JamesD

LVL 11

Expert Comment

ID: 11538774

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Invest in your employees with these five simple steps to improve employee engagement and retention.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question