Solved

Local system policy...can't login as admin..

Posted on 2004-08-18
13
247 Views
Last Modified: 2010-05-18
help!

We have a win2000 domain server and I'm pretty sure that I messed up the GPO and now am unable to get into the server. I have tried to use the ntrights.exe from a computer on the network, but it's not working. I can't leave until I get this working and reinstalling and restoring is not an option. Does anyone have any ideas?
0
Comment
Question by:definitivenetworking
  • 5
  • 2
  • 2
  • +4
13 Comments
 
LVL 12

Assisted Solution

by:Gary Dewrell
Gary Dewrell earned 100 total points
Comment Utility
Hi definitivenetworking,
See if this helps you any at all.
http://support.microsoft.com/default.aspx?scid=kb;it;263166

God Bless
0
 

Author Comment

by:definitivenetworking
Comment Utility
I'm not even able to log into the server, can't access anything on the server whatsoever. But thanks for trying.
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 200 total points
Comment Utility
0
 
LVL 3

Expert Comment

by:saito1
Comment Utility
hi,

when you try login what error do you get ?
0
 
LVL 15

Expert Comment

by:Rob Stone
Comment Utility
What GP did you configure that you think has locked you out?

Can you access anything from a client (files, etc)?
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 200 total points
Comment Utility
Hi,

Try to start the machine by using the Active Directory Restore mode and log in using the Admin recovery account (if you have this password off course), then you might be able to restore the AD and change the password back. To startup using AD restore mode, press F8 during startup and choose AD Restore Mode..
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Assisted Solution

by:youre1m
youre1m earned 100 total points
Comment Utility
Create a new admin account on the server using ADUC from a workstation, put the don't put the account in the domainadmins group, just put it in enterprise admins, try logging on with that account. You may find the domain admins group has been locked out from loggin on interactively. It's happened to me and that has worked, I just havn't got round to figuring out why the domaina dmin group is locked out yet (it's only a test domain).
0
 

Author Comment

by:definitivenetworking
Comment Utility
I get a "The Local Policy of this System does not permit you to logon interactively.

I'm able to log in to a client as an Admin on the domain, but when I try to access anything, it asks for a login and password. Hence I'm not able to get to any directory..

How can get ADUC for a workstation, is that something I can download?

I'm not sure if I want to try to restore the AD, as I'm not for sure what the local admin password is, this system has been in place for a while and the people that built it are no longer here. I have the domain admin password if that's the same?
0
 

Author Comment

by:definitivenetworking
Comment Utility
This is what I have done so far from the client, logged in as the Administrator...using ntrights.exe

NTRights -u Everyone -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Everyone -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrators -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrators -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrator -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrator -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain User -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain User -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Users -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Users -m \\ntmail -r SeDenyInteractiveLogonRight
0
 

Author Comment

by:definitivenetworking
Comment Utility
When I try to use ADUC from another Win2000 Server on the network, I get Logon attempt failed. I'm on this server as Administrator for the domain.
0
 
LVL 3

Accepted Solution

by:
saito1 earned 100 total points
Comment Utility
ok definitivenetworking,
first try:

1.  Restart the Windows 2000-based computer, and then run the Recovery Console.
2.  From the Recovery Console, type copy c:\winnt\repair\security c:\winnt\system32\config\security at the command prompt, and then press ENTER.
3.  At the command prompt, type exit, and then press ENTER to exit the Recovery Console and to restart the computer.
4.  Try to Log on locally to the computer.

if it does not work then run the commands (+r: grants the rights to user ot group)

ntrights.exe -m \\ntmail -u Administrators +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrator +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrators +r SeNetworkLogonRight
ntrights.exe -m \\ntmail  -u Domain Admins +r SeInteractiveLogonRight
...
help about ntrights.exe options:
http://support.microsoft.com/default.aspx?scid=kb;en-us;279664&Product=win2000

hope these helps
Rgrds...
0
 

Author Comment

by:definitivenetworking
Comment Utility
Okay, this is what we had to do....

Remove hard drive from server, take it to another machine, make it a slave and boot up. Then we had to edit a file (can't remember which one) but it was deep inside the sysvol folder, then we replaced the security file that is in the winnt/config folder with one out of a saved directory...

I ended up calling Microsoft and with the help of two engineers and 6 hours later, we got it to work.

Thanks for everybodys help.
0
 

Expert Comment

by:Stonewall45
Comment Utility
I was having this exact problem after incorrectly setting some Domain Controller Security Policies.  Using the Recovery Console as posted by Saito1 (The accepted answer) fixed this problem for me.

This might be some information to add to that solution...

For the command:   copy c:\winnt\repair\security c:\winnt\system32\config\security
Use either "winnt"  or "windows" whatever your system root directory is.

After rebooting, I had to log on with the Administrator username and Password of the local machine and then rejoin that computer to the domain.  After that, the usual user was able to log back on normally.



 
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now