Re: Save me from my stupidity
From: stefanT (stefanT_at_discussions.microsoft.com)
Date: 12/28/04
- Previous message: Frogger: "RE: Networked anti-virus protection"
- In reply to: stefanT: "Re: Save me from my stupidity"
- Next in thread: Roger Abell: "Re: Save me from my stupidity"
- Reply: Roger Abell: "Re: Save me from my stupidity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Dec 2004 14:57:04 -0800
OK. take #2
I find I can access via the network after all. So I navigate to
sysroot/sys32/GroupPolicy and set Deny on full for Administrators. I've not
logged in locally yet so I give it a try. No joy. I reboot the machine and
try again - still no joy. Same logon message - 'local policy does not permit
interactive logon'. Any thoughts?
What should the permissions be on this directory? Mine show
Admins : allow unset ; deny unset
System : allow unset ; deny unset
Everyone : allow full ; deny unset
The machine I'm working on was upgraded from W98 and the partition converted
to NTFS afterwards. I've got another W2k-Pro machine which had a Fat32
sysroot partition. I've just converted that to NTFS and that shows the same
permissions as well. Somehow, though, it doesn't feel quite right to have
full permissions for Everyone and no permissions for Admins or System.
StefanT
"stefanT" wrote:
> Well and truly - grabbed by the short and curlys.
snip....
>
> StefanT
>
> "Roger Abell" wrote:
>
> > Hmmm, got bitten a little by that one ? At least we can get
> > you out of it, and it is likely one of the worst, for a machine
> > that is not a domain controller, that one can accident upon
> > while tightening a machine. Just remember that deny always
> > overrules a grant, and the Users, Authenticated Users, Everyone,
> > Network, and Interactive have wide impacts.
> >
> > OK, so you need, as an admin, to locate your folder permissions
> > at system32\GroupPolicy and there set a Deny of full for the
> > Administrators group. Then, log off and back on, remove the
> > Deny you just set, and then immediately edit the local security
> > policies to remove the problem setting.
> > At a cmd prompt force refresh of policy (at prompt enter secedit
> > and go to the How to . . . refresh ), then log off and back in to see
> > if you are now set to go.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "stefanT" <stefanT@discussions.microsoft.com> wrote in message
> > news:C3BF937E-61C3-4DE7-9930-F7E6449BF071@microsoft.com...
> > > After being given "Hardening Windows Systems" for Christmas I decided to
> > play
> > > about with the local policy settings on my networked W2k Pro machine.
snip...
> > > StefanT
> >
> >
> >
- Previous message: Frogger: "RE: Networked anti-virus protection"
- In reply to: stefanT: "Re: Save me from my stupidity"
- Next in thread: Roger Abell: "Re: Save me from my stupidity"
- Reply: Roger Abell: "Re: Save me from my stupidity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
