Re: Administrator unable to log on Interactively
From: praks25 (praks25@aol.com)
Date: 10/23/02
- Next message: Daniel Angelucci: "Re: error message in system log file."
- Previous message: Matt Prall: "Re: Domain Controller send TCP 80 to 207.46.230.220 (Microsoft.com)"
- In reply to: Karl Levinson [x y] MVP: "Re: Administrator unable to log on Interactively"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "praks25" <praks25@aol.com> Date: Tue, 22 Oct 2002 16:28:51 -0700
Firstly i tried accessing the domain controller C drive
through "net use" with the administrator account and
password. it kept giving me the error that the user is not
allowed to logon to the system.
I then tried accessing the C drive on the DC but without
the username and password. it wouldn't let me do that on
any client machines. I tried the same from the secondary
DC and it allowed me access to the C drive without
username and password. But if I type "Dir /w" it says
access is denied. I then navigated down to the folder
(Systemroot\security\database) that contains
the "Secedit.sdb" file. It allowed me to navigate without
username and password but when I tried to rename the file
it again gave me a "access is denied" I understand what is
going on very well but the point is that "net use" does
not work.
nevertheless thankyou for the hints and webpage at JSIFAQ.
I tried the net use hint you mentioned. I have yet to try
out the NTRights but I don't have the resource kit CD that
holds the program. I know it's available with the whole RK
pack that costs above $300.
I am in a dilemma as to whether to buy the pack or just
call Microsoft user support and pay $245.
I think the policy has been changed in the "local security
policy" settings under "user rights assignment". that is
even more unfortunate as running adminpak may not work coz
it's a local policy setting. I am not sure but I guessed
as much. anyway I tried running adminpak on XP pro and
that didn't work as mentioned below.
So I'm stuck between a rock and a hardplace.
anyway thanks and if you can think of something else that
may be helpful do let me know. I will let you know If i
get it solved through Microsoft or NTrights.
>-----Original Message-----
>"praks25" <praks25@aol.com> wrote in message
>news:44bf01c27a08$abf9b130$39ef2ecf@TKMSFTNGXA08...
>> As mentioned in my post of october 17th, the
>> administrator is not able to log on interactively. I
>> tried to undo the damage according to the suggestions
>> given but to no avail.
>> I am one among a few administrators and just cannot log
>> on to the primary domain controller. I tried using
>> the "net use" command to logon to the C drive of the
>> domain controller to edit the "secedit.sdb" file,
through
>> one of the computers in the domain after I logged in as
>
>The first URL at the bottom of this email mentions
renaming that file and
>replacing it with a fixed copy instead of editing it,
have you tried that
>tip yet? [Note that that file is just the local group
policy. In an active
>directory setting, there might be another file somewhere
in the Active
>Directory folders on the domain controllers for the
domain group policy]
>
>> Besides the new admin pak for WinXP pro does not have
>> the "domain controller security policy" service nor does
>> it have the "domain security policy" service.
>> Any help in trying to resolve this issue would be
>> appreciated. I have a secondary controller, but since
the
>> admin has no logon rights I cannot even replicate the
>> active directory and make the secondary as primary and
>> reinstall the primary.
>
>If you can log into any machine using a domain account, I
would think you
>should be able to use the Group Policy MMC to edit the
default domain
>policy
>
>> Will NTRights.exe work to have this fixed. this is about
>> the only thing I have not yet tried.
>
>I haven't heard any success stories from NTRIGHTS users
yet on this, but
>perhaps some of them were not using it correctly. Note
that the Deny
>Interactive Logon setting takes precedence over the Allow
Interactive Logon
>setting. So, if the problem is that the Administrator ID
is in a group that
>has been assigned the Deny Interactive Logon setting,
using NTRIGHTS to add
>the Administrator to the Allow Interactive Logon list
will not fix the
>problem. Instead, you would need to also determine the
group that has been
>added to the Deny Interactive Logon list and use NTRIGHTS
to remove that
>group from the list.
>
>I assume you've already tried the tips below? And if so,
did all of them
>fail?
>
>If the computer is joined to an Active Directory domain,
you could use Group
>Policy to change the settings on the computer and reboot
the computer or
>wait 90 minutes or so for the changes to take effect.
>
>OR, you could try the tips below:
>
>www.jsifaq.com/SUBG/TIP3300/rh3361.htm
>www.jsifaq.com/SUBI/tip4100/rh4187.htm
>
>If none of that solves the problem, I would highly
recommend calling
>Microsoft Product Support. It only cost about $200 to
get their help
>resolving a very complex problem with an Exchange server
that kept locking
>up, and you get unlimited hours until the problem is
solved [free if they
>fail to solve your problem]. The support pages at
www.microsoft.com also
>have other third party support places you can call for
possibly less money
>than microsoft support.
>
>
>
>.
>
- Next message: Daniel Angelucci: "Re: error message in system log file."
- Previous message: Matt Prall: "Re: Domain Controller send TCP 80 to 207.46.230.220 (Microsoft.com)"
- In reply to: Karl Levinson [x y] MVP: "Re: Administrator unable to log on Interactively"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
