Re: Possible answer to domain problems
From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 12/26/02
- Next message: Karl Levinson [x y] mvp: "FAQ - READ BEFORE POSTING"
- Previous message: Karl Levinson [x y] mvp: "Re: account disabled"
- In reply to: Joe Dauncey: "Possible answer to domain problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> Date: Thu, 26 Dec 2002 12:59:26 -0500
Thanks... another administrator here told me he read a Microsoft article
that the DCPROMO process may change the policy so that only domain admins
can log on interactively. You could probably confirm this either by
searching www.microsoft.com/support and/or by editing the basicdc.inf
security template on your server using Notepad or the SCA MMC.
Note also that AFAIK you lose the ability to access local accounts including
local administrator when running DCPROMO, so that if the Domain Admins group
is empty, you could have problems [until you're able to figure out how to
add users to the Domain Admins group]. If you're building the first Windows
2000 DC in a domain, I guess you'd have to figure out beforehand where the
Domain Admin is going to come from.
"Joe Dauncey" <joe_dauncey@yahoo.co.uk> wrote in message
news:029801c2ac55$efc0c1e0$8ef82ecf@TK2MSFTNGXA04...
> I posted a problem just over a week ago, involving
> the 'cannot logon interactively problem'.
>
> I think it has something to do with the application of
> Office XP, or an Internet Explorer SP5.5 or something.
>
> I got locked out the first time I tried to build a DC and
> install Office XP on it, so I started from scratch again.
> This time I created a couple of extra users with admin
> privileges first.
>
> Somewhere in the process of 'Updating Windows Components'
> it changes the security policy so that whoever you were
> logged in as when you installed it can only login as a
> service!! This means that the userid cannot logon
> interactively. When I'd created an additional userid I was
> able to logon as an alternate administrator and search
> through the security policy until I'd found the problem
> and changed it - and it worked.
>
> I'm not entirely sure what it is that does it, but I'm
> pretty sure that it's when you update the Windows
> Components on 2000 Server after installing Office XP if
> you haven't already installed any service packs. There are
> three components that are updated, one of which is IE
> SP5.5 and one of which is MDAC. I can't remember the
> third. It's possible that it's something else, but I'm not
> sure what. Looking at other peoples posts it could be
> something to do with an earlier stage in the process as it
> seems to happen after people reboot, so it might have
> happened earlier and I missed it.
>
> So, the moral is, always create a couple of extra
> administrators when you build your DC, and be careful!!
>
> I hope this helps someone?
>
> Joe
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002
- Next message: Karl Levinson [x y] mvp: "FAQ - READ BEFORE POSTING"
- Previous message: Karl Levinson [x y] mvp: "Re: account disabled"
- In reply to: Joe Dauncey: "Possible answer to domain problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
