?
Solved

Domain admin account locked out on active directory server.

Posted on 2010-01-05
12
Medium Priority
?
1,505 Views
Last Modified: 2012-05-08
Local login error on server itself:
"Local policy of this system does not permit you to logon interactively"

Remote login error from authorized workstation:
"To logon to this remote computer, you must have Terminal Server user access permission on this computer"... yadda yadda yadda.


Now, before I get a lot of frivolous answers, this is happening to our DOMAIN ADMIN account... Not a Guest or some random User. In effect, I can no longer manage the AD.

Things you should know:

- It worked an hour ago and has worked many times prior
- Windows 2003 Server - primary controller
- First noticed it happen when I tried to add a computer to our domain (access denied)
- I have access to directory restore mode, but it seems useless since I can't actually manipulate domain-based policy settings or users within the directory
- No configuration changes have been made ON the server
- Recently, there have been a few computers added to AD remotely and we've been in the process of setting up images with ghost/sysprep for our workstations


Things I've noticed:
- Our domin admin account will login still at any workstation already the domain, but appears to be a limited user
- Since the problem started, the first time I logged in as the domain admin, it seemed like the account was 'reset'. It took awhile to start up, 'personlized settings' etc.. Just like a fresh account normally would.


Things I've done:

- Logging in a million times

- I've tried manipulating gpedit.msc (Directory services restoration mode), but I haven't any luck. I'm assuming even though it says "local policy" is the problem, it is actually the domain policy settings.

- Searched online a lot. I'm grabbing straws.
0
Comment
Question by:SimplyRick
12 Comments
 
LVL 7

Expert Comment

by:mmaris
ID: 26184842
0
 
LVL 6

Author Comment

by:SimplyRick
ID: 26184953
I can't login remotely through terminal services, so I can't follow those instructions. Even if I try to be creative, I simply not possible to access an account that has directory admin priveleges.
0
 
LVL 6

Author Comment

by:SimplyRick
ID: 26184956
I can't login remotely through terminal services, so I can't follow those instructions. Even if I try to be creative, I simply not possible to access an account that has directory admin priveleges.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 31

Accepted Solution

by:
Justin Owens earned 750 total points
ID: 26185399
Can you access any other accounts with Domain Admin rights other than Domain Admin?
0
 
LVL 6

Author Comment

by:SimplyRick
ID: 26185517
Not at the moment -- and my guess is no -- although I'm waiting for the actual site adminstrator to get back to me and let me know. For now, all I have to work with is an AD admin account that can't actually login.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26185546
How have you verified that it is locked out?
0
 
LVL 6

Author Comment

by:SimplyRick
ID: 26185670
I've tried adding a computer to the domain using the domain admin account: access denied.

Logging in with the domain admin at the server itself gives a policy error (see original post) and does not llog in. Logging in As domain admin through terminal services tells me I don't have access because I'm not in the remote access group etc... It used to work just fine and no changes to the server have been made aside from adding a few comps to the domain.

This account is THE account that is used to login and make changes to the directory, server roles, settings etc...

0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 26185735
Lovely... Do any other accounts have delegated access to add users to groups?
0
 
LVL 7

Assisted Solution

by:ARK-DS
ARK-DS earned 750 total points
ID: 26185742
Hello,

First thing we need to achieve is to login to the box. Assuming that this is a DC and we can not log in to it locally.
Try this:

Unplug the network cable from the DC and try logging in to the server. See if allows you to log in with cached credentials. (I hope you have not disabled that).

Once you are able to log in to the server, see if you are able to do some administrative changes. In command prompt, type "WhoAmI /all" take output.
Run GPRESULT and take output.

Try and see if any group membership is missing from this user. If so, add that group back to the user's member of list.

I would also suggest to create one more administrator account to be on a safer side as soon as u log in to the server.

Regards,

Arun.
0
 
LVL 6

Author Comment

by:SimplyRick
ID: 26547326
I'm very sorry for the late response. Thank you for everyone who tried to help.

While I'm still unsure what happened, it appears there is only one answer to this question: You must have access to a domain administrator account. Local server admin accounts cannot make changes to the domain or domain users.

I lost a lot of time, but fortunately, there was another domain admin account and proceeded to create one for myself immediately afterward. Lesson learned. :-)

0
 
LVL 6

Author Closing Comment

by:SimplyRick
ID: 31673184
An answer wasn't necessarily provided, but they hit the nail on the head concerning the problem: It *appears* you must have access to another domain admin account. Thanks!
0
 

Expert Comment

by:nagit
ID: 33360895
Just wanted to pass along some info after I encountered the same problem.  Hopefully this will be beneficial to someone else looking at this.  I was able to log in to the DC in Safe Mode with Networking with the local admin account.  Ran the command  "net user <username> * /active:yes /DOMAIN", rebooted and was able to login.  The * in the command specifies that you want to change the password for the account, which I had to do, in my case.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question