Re: I'm locked out of domain admin account on Windows 2000 Server!!!

From: Mikel Pirie (mikel.pirie@nospam.valen.ca)
Date: 06/10/02 

From: "Mikel Pirie" <mikel.pirie@nospam.valen.ca>
Date: Mon, 10 Jun 2002 09:48:15 -0700

did you by anychance play around with your group policy -
Ive seen this message before when specifically All users
have been denied logon to the domain "Logon Locally"
through User Rights, and it looks like you domain admin
account has gotten it applied also - at least on the
server - if thats the case then ouch.

theoretically you could recover the situation assuming it
was not the domain policy you changed, and jsut a server
in a OU besides the Domain Controllers OU. But Im afraid
it looks like your little domain is about to die or at
least be re-installed.

Something that I learned the hard way - in group policy,
always explicity "Deny" the "Apply Group Policy" setting
for the admin and at least one backup account so the
policies dont get applied - its too easy to break your
hard work.

hth
Mike
>-----Original Message-----
>Can you see the event log on the server? Look at what
services didn't start?
>Try this from a workstation, logged in as a domain admin
account, and just
>point the focus at the server. Did you update anything on
the server? Make
>any changes to the domain policy?
>
>"x y" <jamescagney90210@yahoo.com> wrote in message
>news:OlWqpvCECHA.2172@tkmsftngp04...
>> Good, i would also search support.microsoft.com for
that error message, as
>> this may be a common problem with a known fix.
Actually, I just searched
>> there and found nothing much, but you could still try
searching google
>> and/or google groups [e.g. usenet].
>>
>> Since you can access shares on the server, you could
try running commands
>on
>> the server using the Scheduled tasks folder which can
be accessed by
>> launching \\servername example, you could do NET
START>>c:\services.txt
>> to see a list of running services.
>>
>> "jeff and nicole" <bourman@bigpond.net.au> wrote in
message
>> news:kESM8.280640$o66.724058@news-
server.bigpond.net.au...
>> > The actual error I get is that "The user cannot be
logged on
>> interactively"
>> > this is on the server for admin .. all server
functions seem to be
>working
>> > ok as the shares I have working are acecssible...
>> > I will try the things you have suggested and try the
tools...
>> >
>> > thanks
>> >
>> >
>> > "x y" <jamescagney90210@yahoo.com> wrote in message
>> > news:#A00cRAECHA.1692@tkmsftngp05...
>> > I'd be curious to know the error message you get when
trying to log into
>> the
>> > server, can you ping the server, can you open up
folders remotely on the
>> > server, can you access other services on the server
like DNS. Not sure
>> > about XP, but Win 2000 client by default very
unwisely hides the error
>> > message if the domain controller cannot be contacted
and you are being
>> > logged in using a cached password, but there is a
registry edit to
>change
>> > that on 2000 and possibly on XP, documented at
support.microsoft.com,
>I'd
>> be
>> > curious to know the result fo that as well.. and/or
be curious to know
>if
>> > you can log into a workstation using an account that
has never logged
>into
>> > that workstation before, to confirm that the domain
controller really
>> isn't
>> > able to authenticate. You could download and try
running the microsoft
>> > domain diagnostic tools, think they are dcdiag and
netdiag among others.
>> > You could try booting up to directory services
restore mode and restore
>> the
>> > last backup of the system state [I assume you're
backing up system state
>> > from time to time]. This is probably less helpful,
but you could even
>try
>> > running superscan port scanner from foundstone.com,
who knows, maybe it
>> will
>> > tell you some port isn't listening as it should be.
>> >
>> > "jeff and nicole" <bourman@bigpond.net.au> wrote in
message
>> > news:wNKM8.279018$o66.721759@news-
server.bigpond.net.au...
>> > I have a network with a Win2000 Server and 3x XP
clients. After
>> reebooting
>> > the server we cannot login as domain admin or connect
remotely as admin.
>> > The domain admin account works fine on the client
machines, but cannot
>> logon
>> > to server as anything to do admin tasks localy or
remotÍ{wŔE"+T oTĚă' ěely. I still have
>> > full access to all the shares off the server from the
client machines.
>> >
>> > As far as I can tell RPC service has failed but how
do I get in there to
>> > restart it since I cant log in remotely or localy.
>> >
>> > I'm absolutely stuffed.
>> >
>> > Thanks in advance for your help :-)
>> >
>> >
>> >
>> >
>>
>>
>
>
>.
>

Relevant Pages

  • Re: SQL account rights
    ... Please advice what is the best, suitable rights rather than domain admin ... issues, such as a server that might have IIS running on the same machine, ... applicable to SQL 2000 environment, ... files, or backups, make sure that the service account has Full ...
    (microsoft.public.sqlserver.security)
  • RE: Several Problems; how to reset security and troubleshoot serve
    ... Security Templates in Windows Server 2003 - ... The Network Service account must be added to the policy settings in the ... This issue may occur if Group Policy settings that were applied at ... When you tried to launch the Remote assistance, ...
    (microsoft.public.windows.server.sbs)
  • Re: Server Security
    ... In my opinion you want accountability for administrators and each administrator ... "The" administrator account should not be used and given a very long ... make sure that if there is sensitive information on that server, ... > name with domain admin rights on each. ...
    (microsoft.public.win2000.security)
  • Re: Tough password question!
    ... When I reboot the server, it will not login when the admin ... > account and it will login if I change the domain admin password to ... > on a normal user account, or even another domain admin. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SetSPN problem
    ... I tried using a domain admin account (it worked and ... I tried on another server. ... promote the account to domain admin and let it register itself and then ... > Jasper Smith (SQL Server MVP) ...
    (microsoft.public.sqlserver.security)