Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cannot login into my own windows server, not via RDC, not locally

Posted on 2014-08-02
18
Medium Priority
?
19 Views
Last Modified: 2015-06-26
I wanted to restrict users to install software, we have a Windows 2011 SBS, and I added the administrators gruop to the Restricted Groups, as I found out on a webpage, but after I did that, I cannot log on locally, not via rdc, and not even the users can log in on their Windows 7 computers...

What can I do?????
0
Comment
Question by:marpanet
17 Comments
 
LVL 14

Expert Comment

by:Natty Greg
ID: 40236493
lol, login locally into the computer itself and then change the administrator privilege locally, then login to dc and remove admin from restricted group. you have about 120 sec from login in to change admin from restrict, cause the policy will also restrict the computer. then you're sol
0
 
LVL 2

Author Comment

by:marpanet
ID: 40236803
The problem is that I cannot log in locally, only if I go to active directory recovery mode...  If I enter normally, it won't let me in...  Windows won't let me log in locally..
0
 
LVL 2

Author Comment

by:marpanet
ID: 40236892
Can you detail it more the part where " login locally into the computer itself and then change the administrator privilege locally".. please!!!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 5

Expert Comment

by:Adam Ray
ID: 40236900
I don't know if this will work--actually I suspect it won't--but it's easy and is worth a shot.

Log into a workstation using a regular domain user account.

Download psexec from live.sysinternals.com

Open a command prompt and run

psexec \\serverName -e -h -u [domain]\[administratorUser] net group "Restricted Groups" Administrators /del

or try

runas /user:[domain]\[administratorUser] /netonly psexec \\serverName -s net group "Restricted Groups" administrators /del

This will attempt to create a session (a bit different than a full logon) on the server and remove "Administrators" from the "Restricted Groups" group in Active Directory.

If it seems like you might be getting somewhere you can try reading the documentation on runas (Windows utility) and psexec (Sysinternals utility, now owned by Microsoft) to experiment with different flags. But be aware, when/if this works you will have as much/more rights as if you were running commands on the server console itself, so you can shoot yourself in the foot (again) just as easily as if you were working right on the server.
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 40236948
Can you detail it more the part where " login locally into the computer itself and then change the administrator privilege locally".. please!!!
when you log into the server rather than log in with domain\username then password try computername\username then password. This will log you on locally.
0
 
LVL 2

Author Comment

by:marpanet
ID: 40236966
I will try that..
Can I copy from an old backup a specific folder, or registry so the group policy can be changed back as the way it was????
0
 
LVL 2

Author Comment

by:marpanet
ID: 40236968
Works2011, I did log in locally as you said, but I am lost on the part "change the administrator privilege locally" and in the part "then login to dc and remove admin from restricted group".

can you help me?
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 40236975
Do you have any admin account(s) running services you can remember? For example you would create the user "CSE" for Cloudmark as an administrator for the spam filter to run. If you know any of the names created to run a service as administrator you could log on with it and go to active directory to change the restricted group.
0
 
LVL 2

Author Comment

by:marpanet
ID: 40236977
I remember I had one, for the BlackBerry services, tried the user and password, and the same error...  could not log in..
0
 
LVL 2

Author Comment

by:marpanet
ID: 40237021
I found a folder in %systemroot%\windows\sysvol\domain, in there, I can see that I have many folders, all of them have created date from the day I installed Windows (3 years ago), and I have one folder with a created date of today, at the same time I created that policy that kick me out..... what happens if I manage to delete that carpet?, will the policy that I created will be deleted??
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 40237537
If you delete anything in sysvol you better have a good backup.

I think I was tired last night regarding the admin account, sorry, if you created a policy with restrictions and added the administration group I believe you may have locked yourself out.

To me even if you change the password on the admin account, any of them they are still restricted from a group standpoint.
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 40237540
How many users on the server? What type of drive configuration? Do you have a backup in place?
0
 
LVL 2

Author Comment

by:marpanet
ID: 40237670
20..... only one domain controller... it´s a windows 2011 sbs...
the backup drive it appeared as if it was working, but when trying to restore, the backup drive was toasted ( i know......), I have a four month backup which I will restore....

I will have to create all the new account, export from edb to pst and import each user their mailbox...  haven´t found another way..
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 40237855
Do you mind posting the article that recommended what you did? Maybe some good to come out of this is preventing that article to create any problems for others in the future. I know it doesn't help with your current situation.

I'm doing some more research if I find anything I'll let you know.
0
 
LVL 2

Author Comment

by:marpanet
ID: 40249191
Let me find the article I misread and took me to 36 hour non sleep work.. LOL

I manage to recover almost everything, I formated the server, clean installation, export ost to pst on workstations, and import them again...  configured all over again and ready!
0
 
LVL 2

Accepted Solution

by:
marpanet earned 0 total points
ID: 40268061
Sorry all for all the wait time, I had so many problems in the last three weeks!!...
I didn´t find the exact article that I read last time, but it was something like this.... also, my article was on spanish...

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html

Please don´t judge me, I know what  I did was very very very wrong!!... I paid it with a 36 non hour work hehehehe
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40852559
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question