Cannot login into my own windows server, not via RDC, not locally

lol, login locally into the computer itself and then change the administrator privilege locally, then login to dc and remove admin from restricted group. you have about 120 sec from login in to change admin from restrict, cause the policy will also restrict the computer. then you're sol

The problem is that I cannot log in locally, only if I go to active directory recovery mode...  If I enter normally, it won't let me in...  Windows won't let me log in locally..

Can you detail it more the part where " login locally into the computer itself and then change the administrator privilege locally".. please!!!

I don't know if this will work--actually I suspect it won't--but it's easy and is worth a shot.

Log into a workstation using a regular domain user account.

Download psexec from live.sysinternals.com

Open a command prompt and run

psexec \\serverName -e -h -u [domain]\[administratorUser] net group "Restricted Groups" Administrators /del

or try

runas /user:[domain]\[administratorUser] /netonly psexec \\serverName -s net group "Restricted Groups" administrators /del

This will attempt to create a session (a bit different than a full logon) on the server and remove "Administrators" from the "Restricted Groups" group in Active Directory.

If it seems like you might be getting somewhere you can try reading the documentation on runas (Windows utility) and psexec (Sysinternals utility, now owned by Microsoft) to experiment with different flags. But be aware, when/if this works you will have as much/more rights as if you were running commands on the server console itself, so you can shoot yourself in the foot (again) just as easily as if you were working right on the server.

Can you detail it more the part where " login locally into the computer itself and then change the administrator privilege locally".. please!!!

when you log into the server rather than log in with domain\username then password try computername\username then password. This will log you on locally.

I will try that..
Can I copy from an old backup a specific folder, or registry so the group policy can be changed back as the way it was????

Works2011, I did log in locally as you said, but I am lost on the part "change the administrator privilege locally" and in the part "then login to dc and remove admin from restricted group".

can you help me?

Do you have any admin account(s) running services you can remember? For example you would create the user "CSE" for Cloudmark as an administrator for the spam filter to run. If you know any of the names created to run a service as administrator you could log on with it and go to active directory to change the restricted group.

I remember I had one, for the BlackBerry services, tried the user and password, and the same error...  could not log in..

I found a folder in %systemroot%\windows\sysvol\domain, in there, I can see that I have many folders, all of them have created date from the day I installed Windows (3 years ago), and I have one folder with a created date of today, at the same time I created that policy that kick me out..... what happens if I manage to delete that carpet?, will the policy that I created will be deleted??

If you delete anything in sysvol you better have a good backup.

I think I was tired last night regarding the admin account, sorry, if you created a policy with restrictions and added the administration group I believe you may have locked yourself out.

To me even if you change the password on the admin account, any of them they are still restricted from a group standpoint.

How many users on the server? What type of drive configuration? Do you have a backup in place?

20..... only one domain controller... it´s a windows 2011 sbs...
the backup drive it appeared as if it was working, but when trying to restore, the backup drive was toasted ( i know......), I have a four month backup which I will restore....

I will have to create all the new account, export from edb to pst and import each user their mailbox...  haven´t found another way..

Do you mind posting the article that recommended what you did? Maybe some good to come out of this is preventing that article to create any problems for others in the future. I know it doesn't help with your current situation.

I'm doing some more research if I find anything I'll let you know.

Let me find the article I misread and took me to 36 hour non sleep work.. LOL

I manage to recover almost everything, I formated the server, clean installation, export ost to pst on workstations, and import them again...  configured all over again and ready!

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.