Domain admin account locked out on active directory server.
Posted on 2010-01-05
Local login error on server itself:
"Local policy of this system does not permit you to logon interactively"
Remote login error from authorized workstation:
"To logon to this remote computer, you must have Terminal Server user access permission on this computer"... yadda yadda yadda.
Now, before I get a lot of frivolous answers, this is happening to our DOMAIN ADMIN account... Not a Guest or some random User. In effect, I can no longer manage the AD.
Things you should know:
- It worked an hour ago and has worked many times prior
- Windows 2003 Server - primary controller
- First noticed it happen when I tried to add a computer to our domain (access denied)
- I have access to directory restore mode, but it seems useless since I can't actually manipulate domain-based policy settings or users within the directory
- No configuration changes have been made ON the server
- Recently, there have been a few computers added to AD remotely and we've been in the process of setting up images with ghost/sysprep for our workstations
Things I've noticed:
- Our domin admin account will login still at any workstation already the domain, but appears to be a limited user
- Since the problem started, the first time I logged in as the domain admin, it seemed like the account was 'reset'. It took awhile to start up, 'personlized settings' etc.. Just like a fresh account normally would.
Things I've done:
- Logging in a million times
- I've tried manipulating gpedit.msc (Directory services restoration mode), but I haven't any luck. I'm assuming even though it says "local policy" is the problem, it is actually the domain policy settings.
- Searched online a lot. I'm grabbing straws.