Nirmal Sharma
asked on
Policy Setting Removed
Someone deleted policies from Default Domain Policy and now Server is not accessible remotely.
Access this computer from network - Noone added
Log on Locally - Noone added
Please let us know a command that can be run remotely to access the server remotely.
We have tried everything to access this server from network but to no avail
Help is highly appreciated
Thanks!
Access this computer from network - Noone added
Log on Locally - Noone added
Please let us know a command that can be run remotely to access the server remotely.
We have tried everything to access this server from network but to no avail
Help is highly appreciated
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Log on localy using the Administrator (real) account.
Run DCGPOFIX /domain from a CMD prompt.
Run DCGPOFIX /domain from a CMD prompt.
ASKER
nah...
Is there any way to access server remotely.
Server is in another location.
ADMIN$ share is alive and we can't map because the base of IPC$ and ADMIN$ share is *above policy setting* - *Access this computer from network* retreived by LSASS.exe process on local computer. I have heard of a SQL script that takes control of server remotely. Is it true?
Thanks for your advise!
Is there any way to access server remotely.
Server is in another location.
ADMIN$ share is alive and we can't map because the base of IPC$ and ADMIN$ share is *above policy setting* - *Access this computer from network* retreived by LSASS.exe process on local computer. I have heard of a SQL script that takes control of server remotely. Is it true?
Thanks for your advise!
Get yourself a copy of Dameware Utilities. You can push out the server-side service then connect using the Dameware Remote Control client. You'll be on the console then.
you can use also psexec
ASKER
Have tried it before posting over here...
Dameware utilities use ADMIN$ share to store service DLL on remote computer - thus require admin rights to perform this operation.
PSEXEC also does the same.
Dameware utilities use ADMIN$ share to store service DLL on remote computer - thus require admin rights to perform this operation.
PSEXEC also does the same.
then you will not be able to do much, get a car and go to the remote location
ASKER
NM,
What do you say?
What do you say?
Yes, you require Admin rights to install Dameware Remote service - I'm not certain where it connects to - it may be the IPC$ share which shouldn't be blocked regardless of what policy has been set as long as you use the local Admin account.
Give it a shot if you haven't already.
If it doesn't work, can you attach to an iLO? You can hook the console if you have a remote access card in this thing.
Give it a shot if you haven't already.
If it doesn't work, can you attach to an iLO? You can hook the console if you have a remote access card in this thing.
ASKER
Sorry to be unclear...
Already tried that...and also don't have an ILO attached.
I already have admin rights. The only problem is these two policy settings:
*Access this computer from network*
*Log on Locally*
These policy settings are controlled by LSASS.exe (Local Security Authority) and SRM. These policy settings on DC are in effect and flags for policies are already set in AD Security. LSASS.exe sits over top of any other network process.
So when anyone tries to access this computer from network the security policy settings are processed by LSASS.exe - just to check whether the requested operation can be performed or not.
I tried using the following following commands:
psexec.exe -u COMPUTER_NAME\user_name -p Password \\computer_name ntrights.exe ------------- to make necessary changes
psexec.exe -u DOMAIN_NAME\user_name -p Password \\computer_name ntrights.exe ------------- to make necessary changes
Already tried that...and also don't have an ILO attached.
I already have admin rights. The only problem is these two policy settings:
*Access this computer from network*
*Log on Locally*
These policy settings are controlled by LSASS.exe (Local Security Authority) and SRM. These policy settings on DC are in effect and flags for policies are already set in AD Security. LSASS.exe sits over top of any other network process.
So when anyone tries to access this computer from network the security policy settings are processed by LSASS.exe - just to check whether the requested operation can be performed or not.
I tried using the following following commands:
psexec.exe -u COMPUTER_NAME\user_name -p Password \\computer_name ntrights.exe ------------- to make necessary changes
psexec.exe -u DOMAIN_NAME\user_name -p Password \\computer_name ntrights.exe ------------- to make necessary changes
ASKER
STATUS_LOGON_TYPE_NOT_GRAN TED message returned by Network Monitor.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had to visit on-site to resolve this problem.
after resotring them you might find the the default domain policy and default DC policy is modified and you might want to restore them
follow this article
http://support.microsoft.com/kb/555647
then follow this
http://support.microsoft.com/kb/833783
good luck