Domain admin account locked out on active directory server.
Local login error on server itself:
"Local policy of this system does not permit you to logon interactively"
Remote login error from authorized workstation:
"To logon to this remote computer, you must have Terminal Server user access permission on this computer"... yadda yadda yadda.
Now, before I get a lot of frivolous answers, this is happening to our DOMAIN ADMIN account... Not a Guest or some random User. In effect, I can no longer manage the AD.
Things you should know:
- It worked an hour ago and has worked many times prior
- Windows 2003 Server - primary controller
- First noticed it happen when I tried to add a computer to our domain (access denied)
- I have access to directory restore mode, but it seems useless since I can't actually manipulate domain-based policy settings or users within the directory
- No configuration changes have been made ON the server
- Recently, there have been a few computers added to AD remotely and we've been in the process of setting up images with ghost/sysprep for our workstations
Things I've noticed:
- Our domin admin account will login still at any workstation already the domain, but appears to be a limited user
- Since the problem started, the first time I logged in as the domain admin, it seemed like the account was 'reset'. It took awhile to start up, 'personlized settings' etc.. Just like a fresh account normally would.
Things I've done:
- Logging in a million times
- I've tried manipulating gpedit.msc (Directory services restoration mode), but I haven't any luck. I'm assuming even though it says "local policy" is the problem, it is actually the domain policy settings.
- Searched online a lot. I'm grabbing straws.
"Local policy of this system does not permit you to logon interactively"
Remote login error from authorized workstation:
"To logon to this remote computer, you must have Terminal Server user access permission on this computer"... yadda yadda yadda.
Now, before I get a lot of frivolous answers, this is happening to our DOMAIN ADMIN account... Not a Guest or some random User. In effect, I can no longer manage the AD.
Things you should know:
- It worked an hour ago and has worked many times prior
- Windows 2003 Server - primary controller
- First noticed it happen when I tried to add a computer to our domain (access denied)
- I have access to directory restore mode, but it seems useless since I can't actually manipulate domain-based policy settings or users within the directory
- No configuration changes have been made ON the server
- Recently, there have been a few computers added to AD remotely and we've been in the process of setting up images with ghost/sysprep for our workstations
Things I've noticed:
- Our domin admin account will login still at any workstation already the domain, but appears to be a limited user
- Since the problem started, the first time I logged in as the domain admin, it seemed like the account was 'reset'. It took awhile to start up, 'personlized settings' etc.. Just like a fresh account normally would.
Things I've done:
- Logging in a million times
- I've tried manipulating gpedit.msc (Directory services restoration mode), but I haven't any luck. I'm assuming even though it says "local policy" is the problem, it is actually the domain policy settings.
- Searched online a lot. I'm grabbing straws.
ASKER
I can't login remotely through terminal services, so I can't follow those instructions. Even if I try to be creative, I simply not possible to access an account that has directory admin priveleges.
ASKER
I can't login remotely through terminal services, so I can't follow those instructions. Even if I try to be creative, I simply not possible to access an account that has directory admin priveleges.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not at the moment -- and my guess is no -- although I'm waiting for the actual site adminstrator to get back to me and let me know. For now, all I have to work with is an AD admin account that can't actually login.
How have you verified that it is locked out?
ASKER
I've tried adding a computer to the domain using the domain admin account: access denied.
Logging in with the domain admin at the server itself gives a policy error (see original post) and does not llog in. Logging in As domain admin through terminal services tells me I don't have access because I'm not in the remote access group etc... It used to work just fine and no changes to the server have been made aside from adding a few comps to the domain.
This account is THE account that is used to login and make changes to the directory, server roles, settings etc...
Logging in with the domain admin at the server itself gives a policy error (see original post) and does not llog in. Logging in As domain admin through terminal services tells me I don't have access because I'm not in the remote access group etc... It used to work just fine and no changes to the server have been made aside from adding a few comps to the domain.
This account is THE account that is used to login and make changes to the directory, server roles, settings etc...
Lovely... Do any other accounts have delegated access to add users to groups?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm very sorry for the late response. Thank you for everyone who tried to help.
While I'm still unsure what happened, it appears there is only one answer to this question: You must have access to a domain administrator account. Local server admin accounts cannot make changes to the domain or domain users.
I lost a lot of time, but fortunately, there was another domain admin account and proceeded to create one for myself immediately afterward. Lesson learned. :-)
While I'm still unsure what happened, it appears there is only one answer to this question: You must have access to a domain administrator account. Local server admin accounts cannot make changes to the domain or domain users.
I lost a lot of time, but fortunately, there was another domain admin account and proceeded to create one for myself immediately afterward. Lesson learned. :-)
ASKER
An answer wasn't necessarily provided, but they hit the nail on the head concerning the problem: It *appears* you must have access to another domain admin account. Thanks!
Just wanted to pass along some info after I encountered the same problem. Hopefully this will be beneficial to someone else looking at this. I was able to log in to the DC in Safe Mode with Networking with the local admin account. Ran the command "net user <username> * /active:yes /DOMAIN", rebooted and was able to login. The * in the command specifies that you want to change the password for the account, which I had to do, in my case.
http://support.microsoft.com/kb/841188