VERY Strange problem: Cannot logon interactively
From: Smax Dot (smaxdot@yahoo.com)Date: 01/04/02
- Next message: bomba: "Re: URGENT PLZ~~~ ***User Previlege***"
- Previous message: tony: "URGENT PLZ~~~ ***User Previlege***"
- Next in thread: nowhere: "Re: VERY Strange problem: Cannot logon interactively"
- Reply: nowhere: "Re: VERY Strange problem: Cannot logon interactively"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: smaxdot@yahoo.com (Smax Dot) Date: 3 Jan 2002 22:37:55 -0800
Okay folks, here's a tough one for you hardcore Win2K folks --
I have a Windows 2000 professional machine that I can't log into. The
machine is a member of a domain, but I cannot logon into the domain OR
the computer locally. Each time I get an error saying, "The local
policy of this system does not permit you to logon interactively".
I read that a workaround is to use a resource kit utility to remotely
add the LogonLocally right to a specific user or group.
Unfortunately, it appears that use of this utility is dependent on the
Server service being started. Well, being security-concious, I
disabled the Server service! Another "workaround" I saw was to map
the c$ share from another PC, rename the
c:\winnt\security\database\secedit.sdb file, and then copy another one
from a different PC. Well, obviously I can't do this either since the
Server service is disabled!
I was able to boot with an NTFS-DOS bootable disk, though, and rename
the secedit.sdb file and copy another one over to my drive.
Unfortunately, this didn't appear to do anything. :/
Here's what else I did:
I copied cmd.exe to c:\winnt\system32\logon.scr, so it dumps me into a
command shell after ~20 minutes of idle time after the "CTRL-ALT-DEL"
screen. This worked like a charm, and as expected, I was logged on as
NTAUTHORITY\SYSTEM. I thought all would be well at this point, but
unfortunately it seems that even the SYSTEM account doesn't have much
rights -- logged on as NTAUTHORITY\SYSTEM, I am unable to create a
user, edit user properties, change anything in the local security
policy, remove myself from the domain, change service properties,
etc....Heck, I can't even run the Windows 2000 Setup program
(winnt32.exe), it tells me I must be an Administrator!!!
When I go into the Local Security Policy and drill down to the "Log on
Locally" right, I can see that the only user/group who has a checkbox
in the "Effective Security Policy" column is a SID -- all the users,
groups, etc. defined here as having the Log On Locally privilege do
NOT have a checkbox in the "Effective" column (only the SID does).
And of course the "Effective" column is grayed out for all the other
users/groups (minus the SID).
I am out of ideas here! Does anyone have any insights into anything
I can try?
Thanks for any help you can offer,
- Dave
- Next message: bomba: "Re: URGENT PLZ~~~ ***User Previlege***"
- Previous message: tony: "URGENT PLZ~~~ ***User Previlege***"
- Next in thread: nowhere: "Re: VERY Strange problem: Cannot logon interactively"
- Reply: nowhere: "Re: VERY Strange problem: Cannot logon interactively"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
