Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Local system policy...can't login as admin..

Posted on 2004-08-18
13
Medium Priority
?
267 Views
Last Modified: 2010-05-18
help!

We have a win2000 domain server and I'm pretty sure that I messed up the GPO and now am unable to get into the server. I have tried to use the ntrights.exe from a computer on the network, but it's not working. I can't leave until I get this working and reinstalling and restoring is not an option. Does anyone have any ideas?
0
Comment
Question by:definitivenetworking
  • 5
  • 2
  • 2
  • +4
13 Comments
 
LVL 12

Assisted Solution

by:Gary Dewrell
Gary Dewrell earned 400 total points
ID: 11837874
Hi definitivenetworking,
See if this helps you any at all.
http://support.microsoft.com/default.aspx?scid=kb;it;263166

God Bless
0
 

Author Comment

by:definitivenetworking
ID: 11837891
I'm not even able to log into the server, can't access anything on the server whatsoever. But thanks for trying.
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 800 total points
ID: 11838394
0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 
LVL 3

Expert Comment

by:saito1
ID: 11838429
hi,

when you try login what error do you get ?
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 11839599
What GP did you configure that you think has locked you out?

Can you access anything from a client (files, etc)?
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 800 total points
ID: 11839684
Hi,

Try to start the machine by using the Active Directory Restore mode and log in using the Admin recovery account (if you have this password off course), then you might be able to restore the AD and change the password back. To startup using AD restore mode, press F8 during startup and choose AD Restore Mode..
0
 
LVL 6

Assisted Solution

by:youre1m
youre1m earned 400 total points
ID: 11840182
Create a new admin account on the server using ADUC from a workstation, put the don't put the account in the domainadmins group, just put it in enterprise admins, try logging on with that account. You may find the domain admins group has been locked out from loggin on interactively. It's happened to me and that has worked, I just havn't got round to figuring out why the domaina dmin group is locked out yet (it's only a test domain).
0
 

Author Comment

by:definitivenetworking
ID: 11841847
I get a "The Local Policy of this System does not permit you to logon interactively.

I'm able to log in to a client as an Admin on the domain, but when I try to access anything, it asks for a login and password. Hence I'm not able to get to any directory..

How can get ADUC for a workstation, is that something I can download?

I'm not sure if I want to try to restore the AD, as I'm not for sure what the local admin password is, this system has been in place for a while and the people that built it are no longer here. I have the domain admin password if that's the same?
0
 

Author Comment

by:definitivenetworking
ID: 11841873
This is what I have done so far from the client, logged in as the Administrator...using ntrights.exe

NTRights -u Everyone -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Everyone -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrators -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrators -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrator -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrator -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain User -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain User -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Users -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Users -m \\ntmail -r SeDenyInteractiveLogonRight
0
 

Author Comment

by:definitivenetworking
ID: 11843322
When I try to use ADUC from another Win2000 Server on the network, I get Logon attempt failed. I'm on this server as Administrator for the domain.
0
 
LVL 3

Accepted Solution

by:
saito1 earned 400 total points
ID: 11849728
ok definitivenetworking,
first try:

1.  Restart the Windows 2000-based computer, and then run the Recovery Console.
2.  From the Recovery Console, type copy c:\winnt\repair\security c:\winnt\system32\config\security at the command prompt, and then press ENTER.
3.  At the command prompt, type exit, and then press ENTER to exit the Recovery Console and to restart the computer.
4.  Try to Log on locally to the computer.

if it does not work then run the commands (+r: grants the rights to user ot group)

ntrights.exe -m \\ntmail -u Administrators +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrator +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrators +r SeNetworkLogonRight
ntrights.exe -m \\ntmail  -u Domain Admins +r SeInteractiveLogonRight
...
help about ntrights.exe options:
http://support.microsoft.com/default.aspx?scid=kb;en-us;279664&Product=win2000

hope these helps
Rgrds...
0
 

Author Comment

by:definitivenetworking
ID: 11851443
Okay, this is what we had to do....

Remove hard drive from server, take it to another machine, make it a slave and boot up. Then we had to edit a file (can't remember which one) but it was deep inside the sysvol folder, then we replaced the security file that is in the winnt/config folder with one out of a saved directory...

I ended up calling Microsoft and with the help of two engineers and 6 hours later, we got it to work.

Thanks for everybodys help.
0
 

Expert Comment

by:Stonewall45
ID: 13938108
I was having this exact problem after incorrectly setting some Domain Controller Security Policies.  Using the Recovery Console as posted by Saito1 (The accepted answer) fixed this problem for me.

This might be some information to add to that solution...

For the command:   copy c:\winnt\repair\security c:\winnt\system32\config\security
Use either "winnt"  or "windows" whatever your system root directory is.

After rebooting, I had to log on with the Administrator username and Password of the local machine and then rejoin that computer to the domain.  After that, the usual user was able to log back on normally.



 
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Simulator games are perfect for generating sample realistic data streams, especially for learning data analysis. It is even useful for demoing offerings such as Azure stream analytics, PowerBI etc.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question