Cannot login into my own windows server, not via RDC, not locally

I wanted to restrict users to install software, we have a Windows 2011 SBS, and I added the administrators gruop to the Restricted Groups, as I found out on a webpage, but after I did that, I cannot log on locally, not via rdc, and not even the users can log in on their Windows 7 computers...

What can I do?????
LVL 2
marpanetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Natty GregIn Theory (IT)Commented:
lol, login locally into the computer itself and then change the administrator privilege locally, then login to dc and remove admin from restricted group. you have about 120 sec from login in to change admin from restrict, cause the policy will also restrict the computer. then you're sol
0
marpanetAuthor Commented:
The problem is that I cannot log in locally, only if I go to active directory recovery mode...  If I enter normally, it won't let me in...  Windows won't let me log in locally..
0
marpanetAuthor Commented:
Can you detail it more the part where " login locally into the computer itself and then change the administrator privilege locally".. please!!!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Adam RayCommented:
I don't know if this will work--actually I suspect it won't--but it's easy and is worth a shot.

Log into a workstation using a regular domain user account.

Download psexec from live.sysinternals.com

Open a command prompt and run

psexec \\serverName -e -h -u [domain]\[administratorUser] net group "Restricted Groups" Administrators /del

or try

runas /user:[domain]\[administratorUser] /netonly psexec \\serverName -s net group "Restricted Groups" administrators /del

This will attempt to create a session (a bit different than a full logon) on the server and remove "Administrators" from the "Restricted Groups" group in Active Directory.

If it seems like you might be getting somewhere you can try reading the documentation on runas (Windows utility) and psexec (Sysinternals utility, now owned by Microsoft) to experiment with different flags. But be aware, when/if this works you will have as much/more rights as if you were running commands on the server console itself, so you can shoot yourself in the foot (again) just as easily as if you were working right on the server.
0
WORKS2011Austin Tech CompanyCommented:
Can you detail it more the part where " login locally into the computer itself and then change the administrator privilege locally".. please!!!
when you log into the server rather than log in with domain\username then password try computername\username then password. This will log you on locally.
0
marpanetAuthor Commented:
I will try that..
Can I copy from an old backup a specific folder, or registry so the group policy can be changed back as the way it was????
0
marpanetAuthor Commented:
Works2011, I did log in locally as you said, but I am lost on the part "change the administrator privilege locally" and in the part "then login to dc and remove admin from restricted group".

can you help me?
0
WORKS2011Austin Tech CompanyCommented:
Do you have any admin account(s) running services you can remember? For example you would create the user "CSE" for Cloudmark as an administrator for the spam filter to run. If you know any of the names created to run a service as administrator you could log on with it and go to active directory to change the restricted group.
0
marpanetAuthor Commented:
I remember I had one, for the BlackBerry services, tried the user and password, and the same error...  could not log in..
0
marpanetAuthor Commented:
I found a folder in %systemroot%\windows\sysvol\domain, in there, I can see that I have many folders, all of them have created date from the day I installed Windows (3 years ago), and I have one folder with a created date of today, at the same time I created that policy that kick me out..... what happens if I manage to delete that carpet?, will the policy that I created will be deleted??
0
WORKS2011Austin Tech CompanyCommented:
If you delete anything in sysvol you better have a good backup.

I think I was tired last night regarding the admin account, sorry, if you created a policy with restrictions and added the administration group I believe you may have locked yourself out.

To me even if you change the password on the admin account, any of them they are still restricted from a group standpoint.
0
WORKS2011Austin Tech CompanyCommented:
How many users on the server? What type of drive configuration? Do you have a backup in place?
0
marpanetAuthor Commented:
20..... only one domain controller... it´s a windows 2011 sbs...
the backup drive it appeared as if it was working, but when trying to restore, the backup drive was toasted ( i know......), I have a four month backup which I will restore....

I will have to create all the new account, export from edb to pst and import each user their mailbox...  haven´t found another way..
0
WORKS2011Austin Tech CompanyCommented:
Do you mind posting the article that recommended what you did? Maybe some good to come out of this is preventing that article to create any problems for others in the future. I know it doesn't help with your current situation.

I'm doing some more research if I find anything I'll let you know.
0
marpanetAuthor Commented:
Let me find the article I misread and took me to 36 hour non sleep work.. LOL

I manage to recover almost everything, I formated the server, clean installation, export ost to pst on workstations, and import them again...  configured all over again and ready!
0
marpanetAuthor Commented:
Sorry all for all the wait time, I had so many problems in the last three weeks!!...
I didn´t find the exact article that I read last time, but it was something like this.... also, my article was on spanish...

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html

Please don´t judge me, I know what  I did was very very very wrong!!... I paid it with a 36 non hour work hehehehe
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.