Solved

Local system policy...can't login as admin..

Posted on 2004-08-18
13
253 Views
Last Modified: 2010-05-18
help!

We have a win2000 domain server and I'm pretty sure that I messed up the GPO and now am unable to get into the server. I have tried to use the ntrights.exe from a computer on the network, but it's not working. I can't leave until I get this working and reinstalling and restoring is not an option. Does anyone have any ideas?
0
Comment
Question by:definitivenetworking
  • 5
  • 2
  • 2
  • +4
13 Comments
 
LVL 12

Assisted Solution

by:Gary Dewrell
Gary Dewrell earned 100 total points
ID: 11837874
Hi definitivenetworking,
See if this helps you any at all.
http://support.microsoft.com/default.aspx?scid=kb;it;263166

God Bless
0
 

Author Comment

by:definitivenetworking
ID: 11837891
I'm not even able to log into the server, can't access anything on the server whatsoever. But thanks for trying.
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 200 total points
ID: 11838394
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 3

Expert Comment

by:saito1
ID: 11838429
hi,

when you try login what error do you get ?
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 11839599
What GP did you configure that you think has locked you out?

Can you access anything from a client (files, etc)?
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 200 total points
ID: 11839684
Hi,

Try to start the machine by using the Active Directory Restore mode and log in using the Admin recovery account (if you have this password off course), then you might be able to restore the AD and change the password back. To startup using AD restore mode, press F8 during startup and choose AD Restore Mode..
0
 
LVL 6

Assisted Solution

by:youre1m
youre1m earned 100 total points
ID: 11840182
Create a new admin account on the server using ADUC from a workstation, put the don't put the account in the domainadmins group, just put it in enterprise admins, try logging on with that account. You may find the domain admins group has been locked out from loggin on interactively. It's happened to me and that has worked, I just havn't got round to figuring out why the domaina dmin group is locked out yet (it's only a test domain).
0
 

Author Comment

by:definitivenetworking
ID: 11841847
I get a "The Local Policy of this System does not permit you to logon interactively.

I'm able to log in to a client as an Admin on the domain, but when I try to access anything, it asks for a login and password. Hence I'm not able to get to any directory..

How can get ADUC for a workstation, is that something I can download?

I'm not sure if I want to try to restore the AD, as I'm not for sure what the local admin password is, this system has been in place for a while and the people that built it are no longer here. I have the domain admin password if that's the same?
0
 

Author Comment

by:definitivenetworking
ID: 11841873
This is what I have done so far from the client, logged in as the Administrator...using ntrights.exe

NTRights -u Everyone -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Everyone -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrators -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrators -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Administrator -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Administrator -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain User -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain User -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admins -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Domain Admin -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IUSR_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail +r SeInteractiveLogonRight
NTRights -u IWAM_NTMAIL -m \\ntmail -r SeDenyInteractiveLogonRight
NTRights -u Users -m \\ntmail +r SeInteractiveLogonRight
NTRights -u Users -m \\ntmail -r SeDenyInteractiveLogonRight
0
 

Author Comment

by:definitivenetworking
ID: 11843322
When I try to use ADUC from another Win2000 Server on the network, I get Logon attempt failed. I'm on this server as Administrator for the domain.
0
 
LVL 3

Accepted Solution

by:
saito1 earned 100 total points
ID: 11849728
ok definitivenetworking,
first try:

1.  Restart the Windows 2000-based computer, and then run the Recovery Console.
2.  From the Recovery Console, type copy c:\winnt\repair\security c:\winnt\system32\config\security at the command prompt, and then press ENTER.
3.  At the command prompt, type exit, and then press ENTER to exit the Recovery Console and to restart the computer.
4.  Try to Log on locally to the computer.

if it does not work then run the commands (+r: grants the rights to user ot group)

ntrights.exe -m \\ntmail -u Administrators +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrator +r  SeInteractiveLogonRight
ntrights.exe -m \\ntmail -u Administrators +r SeNetworkLogonRight
ntrights.exe -m \\ntmail  -u Domain Admins +r SeInteractiveLogonRight
...
help about ntrights.exe options:
http://support.microsoft.com/default.aspx?scid=kb;en-us;279664&Product=win2000

hope these helps
Rgrds...
0
 

Author Comment

by:definitivenetworking
ID: 11851443
Okay, this is what we had to do....

Remove hard drive from server, take it to another machine, make it a slave and boot up. Then we had to edit a file (can't remember which one) but it was deep inside the sysvol folder, then we replaced the security file that is in the winnt/config folder with one out of a saved directory...

I ended up calling Microsoft and with the help of two engineers and 6 hours later, we got it to work.

Thanks for everybodys help.
0
 

Expert Comment

by:Stonewall45
ID: 13938108
I was having this exact problem after incorrectly setting some Domain Controller Security Policies.  Using the Recovery Console as posted by Saito1 (The accepted answer) fixed this problem for me.

This might be some information to add to that solution...

For the command:   copy c:\winnt\repair\security c:\winnt\system32\config\security
Use either "winnt"  or "windows" whatever your system root directory is.

After rebooting, I had to log on with the Administrator username and Password of the local machine and then rejoin that computer to the domain.  After that, the usual user was able to log back on normally.



 
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQL SERVER 2000 mdf file defragmentation 4 56
Print Server: NT to 2008 10 590
Running Baan iV on VMware 3 161
Device with fixed IP not seen in DHCP server manager Windows 2000 9 95
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question