Solved

Policy Setting Removed

Posted on 2006-11-21
16
374 Views
Last Modified: 2010-05-18
Someone deleted policies from Default Domain Policy and now Server is not accessible remotely.

Access this computer from network  - Noone added
Log on Locally  - Noone added

Please let us know a command that can be run remotely to access the server remotely.

We have tried everything to access this server from network but to no avail

Help is highly appreciated

Thanks!
0
Comment
Question by:Nirmal Sharma
  • 6
  • 4
  • 4
  • +1
16 Comments
 
LVL 9

Assisted Solution

by:gopal_krishna
gopal_krishna earned 50 total points
ID: 17985681
If this is the case only administrator can login to the machine. do you have an admin account. then you would be able to access it.

cheers
Gopal K
0
 
LVL 33

Assisted Solution

by:Busbar
Busbar earned 150 total points
ID: 17985738
i think that booting from the directoiry service restore mode
then recover the policy as in this page
http://support.microsoft.com/kb/267553
0
 
LVL 33

Expert Comment

by:Busbar
ID: 17985746
adding:
after resotring them you might find the the default domain policy and default DC policy is modified and you might want to restore them
follow this article
http://support.microsoft.com/kb/555647
then follow this
http://support.microsoft.com/kb/833783
good luck
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 51

Expert Comment

by:Netman66
ID: 17987563
Log on localy using the Administrator (real) account.

Run DCGPOFIX /domain from a CMD prompt.

0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 17991832
nah...

Is there any way to access server remotely.

Server is in another location.

ADMIN$ share is alive and we can't map because the base of IPC$ and ADMIN$ share is *above policy setting* - *Access this computer from network* retreived by LSASS.exe process on local computer. I have heard of a SQL script that takes control of server remotely. Is it true?

Thanks for your advise!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17992281
Get yourself a copy of Dameware Utilities.  You can push out the server-side service then connect using the Dameware Remote Control client.  You'll be on the console then.

0
 
LVL 33

Expert Comment

by:Busbar
ID: 17992884
you can use also psexec
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 17993144
Have tried it before posting over here...

Dameware utilities use ADMIN$ share to store service DLL on remote computer - thus require admin rights to perform this operation.

PSEXEC also does the same.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 17993190
then you will not be able to do much, get a car and go to the remote location
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 17993390
NM,

What do you say?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17993467
Yes, you require Admin rights to install Dameware Remote service - I'm not certain where it connects to - it may be the IPC$ share which shouldn't be blocked regardless of what policy has been set as long as you use the local Admin account.

Give it a shot if you haven't already.

If it doesn't work, can you attach to an iLO?  You can hook the console if you have a remote access card in this thing.

0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18000901
Sorry to be unclear...

Already tried that...and also don't have an ILO attached.

I already have admin rights. The only problem is these two policy settings:

*Access this computer from network*
*Log on Locally*

These policy settings are controlled by LSASS.exe (Local Security Authority) and SRM. These policy settings on DC are in effect and flags for policies are already set in AD Security. LSASS.exe sits over top of any other network process.

So when anyone tries to access this computer from network the security policy settings are processed by LSASS.exe - just to check whether the requested operation can be performed or not.

I tried using the following following commands:

psexec.exe -u COMPUTER_NAME\user_name -p Password \\computer_name ntrights.exe ------------- to make necessary changes

psexec.exe -u DOMAIN_NAME\user_name -p Password \\computer_name ntrights.exe ------------- to make necessary changes
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18000919
STATUS_LOGON_TYPE_NOT_GRANTED message returned by Network Monitor.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 300 total points
ID: 18004285
Since the policy is a file itself, then you should be able to boot to the Recovery Console and change permissions on the folder where this resides - it would be in Sysvol\Sysvol\Policies.

If you can remove Read permissions for Authenticated Users - or maybe even Deny it, then you should be able to boot (with errors) into the OS long enough to clean it up.

Let me know.
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18409711
I had to visit on-site to resolve this problem.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question