Local system policy...can't login as admin..

help!

We have a win2000 domain server and I'm pretty sure that I messed up the GPO and now am unable to get into the server. I have tried to use the ntrights.exe from a computer on the network, but it's not working. I can't leave until I get this working and reinstalling and restoring is not an option. Does anyone have any ideas?
definitivenetworkingAsked:
Who is Participating?
 
saito1Connect With a Mentor Commented:
ok definitivenetworking,
first try:

1.  Restart the Windows 2000-based computer, and then run the Recovery Console.
2.  From the Recovery Console, type copy c:\winnt\repair\security c:\winnt\system32\config\security at the command prompt, and then press ENTER.
3.  At the command prompt, type exit, and then press ENTER to exit the Recovery Console and to restart the computer.
4.  Try to Log on locally to the computer.

if it does not work then run the commands (+r: grants the rights to user ot group)

ntrights.exe -m \\ntmail -u Administrators +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrator +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrators +r SeNetworkLogonRight
ntrights.exe -m \\ntmail  -u Domain Admins +r SeInteractiveLogonRight
...
help about ntrights.exe options:
http://support.microsoft.com/default.aspx?scid=kb;en-us;279664&Product=win2000

hope these helps
Rgrds...
0
 
Gary DewrellConnect With a Mentor Senior Network AdministratorCommented:
Hi definitivenetworking,
See if this helps you any at all.
http://support.microsoft.com/default.aspx?scid=kb;it;263166

God Bless
0
 
definitivenetworkingAuthor Commented:
I'm not even able to log into the server, can't access anything on the server whatsoever. But thanks for trying.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
rhandelsConnect With a Mentor Commented:
0
 
saito1Commented:
hi,

when you try login what error do you get ?
0
 
Rob StoneCommented:
What GP did you configure that you think has locked you out?

Can you access anything from a client (files, etc)?
0
 
rhandelsConnect With a Mentor Commented:
Hi,

Try to start the machine by using the Active Directory Restore mode and log in using the Admin recovery account (if you have this password off course), then you might be able to restore the AD and change the password back. To startup using AD restore mode, press F8 during startup and choose AD Restore Mode..
0
 
youre1mConnect With a Mentor Commented:
Create a new admin account on the server using ADUC from a workstation, put the don't put the account in the domainadmins group, just put it in enterprise admins, try logging on with that account. You may find the domain admins group has been locked out from loggin on interactively. It's happened to me and that has worked, I just havn't got round to figuring out why the domaina dmin group is locked out yet (it's only a test domain).
0
 
definitivenetworkingAuthor Commented:
I get a "The Local Policy of this System does not permit you to logon interactively.

I'm able to log in to a client as an Admin on the domain, but when I try to access anything, it asks for a login and password. Hence I'm not able to get to any directory..

How can get ADUC for a workstation, is that something I can download?

I'm not sure if I want to try to restore the AD, as I'm not for sure what the local admin password is, this system has been in place for a while and the people that built it are no longer here. I have the domain admin password if that's the same?
0
 
definitivenetworkingAuthor Commented:
This is what I have done so far from the client, logged in as the Administrator...using ntrights.exe

NTRights -u Everyone -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Everyone -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrators -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrators -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrator -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrator -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain User -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain User -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Users -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Users -m \\ntmail -r SeDenyInteractiveLogonRight
0
 
definitivenetworkingAuthor Commented:
When I try to use ADUC from another Win2000 Server on the network, I get Logon attempt failed. I'm on this server as Administrator for the domain.
0
 
definitivenetworkingAuthor Commented:
Okay, this is what we had to do....

Remove hard drive from server, take it to another machine, make it a slave and boot up. Then we had to edit a file (can't remember which one) but it was deep inside the sysvol folder, then we replaced the security file that is in the winnt/config folder with one out of a saved directory...

I ended up calling Microsoft and with the help of two engineers and 6 hours later, we got it to work.

Thanks for everybodys help.
0
 
Stonewall45Commented:
I was having this exact problem after incorrectly setting some Domain Controller Security Policies.  Using the Recovery Console as posted by Saito1 (The accepted answer) fixed this problem for me.

This might be some information to add to that solution...

For the command:   copy c:\winnt\repair\security c:\winnt\system32\config\security
Use either "winnt"  or "windows" whatever your system root directory is.

After rebooting, I had to log on with the Administrator username and Password of the local machine and then rejoin that computer to the domain.  After that, the usual user was able to log back on normally.



 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.