• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 478
  • Last Modified:

2008 r2 denies local login

I had all users showing on the server login screen so I did the following.

1. Select Local Security Policy from Administrative Tools.
2. Expand Local Policies.
3. Select User Rights Assignment.
4. Double-click Deny log on locally to display dialog.
5. Add users or groups.
6. Click OK to save.
7. Reboot.

Then I tested and the 3 users did not show then rebooted and all was well.

Then to hide all users I accedentally put everyone as clear all users except Administrator.

It the would not allow local users to access the server.
The server is not a domain and no remote acces had been setup

Can you help ??

Dan Landry
3 Solutions
yo_beeDirector of Information TechnologyCommented:
EDIT:  Did not read it completely.  Please ignore my suggestion.

You can try to RDP to the machine and access it that way.
Do you have RDP enabled.
yo_beeDirector of Information TechnologyCommented:
You can try Safe Mode boot and see if that works.
Also if this a production machine?
DanielBLandryAuthor Commented:
Tried safe mode and got the option go to safe mode then continued and started normally.
So I cannot login.  This is a production machine so I am in bad way.

Dan Landry
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Have you tried reboot into the last known good configuration?

Do you have a recent backup?
Is the built-in firewall or another firewall enabled on the computer?

If not, perhaps you can open up the registry remotely from another computer and enable terminal services?

There is a key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections. This is set to 1 if RD is disabled. 0 for enabled.

Otherwise, there is a program that Microsoft published called NTRights.exe (http://support.microsoft.com/kb/315276) but to be honest, I don't have an environment to give this a shot in, but the command might look like this:

ntrights -u Everyone -m \\computername -r SeDenyInteractiveLogonRight

I've never played with this before, so you might need to fine tune that, but from the commandline help file, this should remove the Everyone group from the Deny Interactive Logon Right. Also, I don't know if this program will work with a firewall enabled as well.
yo_beeDirector of Information TechnologyCommented:
Can this server be restarted?
Do you have the ability to connect to the server HKLM hive?
if so there is a means to getting to GPEDIT.MSC

Connect to the HKLM\SYSTEM\STARTUP  and change startupType = 2 and CmdLine to cmd.exe  
Reboot and this will get you to a command prompt and it will be like it running for the first time.
In the CMD enter GPEDIT.MSC and modify the settings for Logon Locally

I just tested this on a server in my Lab and it worked.
Not sure how it is going since you haven't responded back yet.

But just for future reference, in order to remove the user icons from the login screen, you need to disable Do not require CTRL-ALT-DEL to Logon Policy.

This is located at Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon: Do not require CTRL+ALT+DEL and set this to Disable.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now