Re: windows 20000 problem

From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 02/26/04 

Date: Thu, 26 Feb 2004 19:22:40 GMT

So you are saying the problem is on just this one particular server that is
in an OU with other servers that do not lock down the domain admin account.
Hmm. The part about logging in as local account that bypasses this policy
indicates that it is being applied somewhere in the domain/OU and not local
policy - at least user policy. If loopback processing [computer
configuration] is applied to the OU or maybe even at local level, that could
give the user different configuration policy based on the container that the
computer is in. You may want to check that though it is doubtful. You might
try enabling debug logging to view userenv.log file and running netdiag [on
install cd in support/tools folder - run setup] on that computer looking for
any failed tests that may be pertinent as well as looking at application and
system logs in Event Viewer for any clues. --- Steve

http://support.microsoft.com/?id=231287
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321708

"Steve" <ste@nospam.com> wrote in message
news:#JcOO2E$DHA.3232@TK2MSFTNGP10.phx.gbl...
> Steve,
>
> Thanks for you reply much appreciated...
>
> I know that the computer is not being locked down by group policies which
is
> what is puzzling me more than anything. If I log onto any other PC as
> administrator then it is fine it is just this PC in particular. I have
tried
> absolutely everything in my knowledge which is why I have posted to the
> NG's. I have even disjoined the server from the domain and re-added again
to
> no avial. The PC is in the same OU as all the other servers that aren't
DC's
> and the administrator is in an OU where the policy doesnt apply. I have
> also checked local policies for the PC and there is nothing amiss here
> either. If you are as stumped as I am then I think I am going to have to
> rebuild which I don't really want to do as this is our intranet server.
The
> PC is not locked down if i log in as local admin and the domain admin is
> part of the local admin group on the PC
>
> weird isn't it
>
> Steve
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:wK4%b.58234$4o.76544@attbi_s52...
> > Domain policy will also apply to users and computers in Organizational
> Units if
> > overriding settings are not defined in the OU. If the administrator is
in
> a different
> > container than the OU then try reversing the settings in that OU or try
> enabling
> > "block inheritance" or that OU. Keep in mind that block inheritance can
> not block
> > higher level GPO's that have "no override" enabled. Otherwise try
> filtering Group
> > Policy that you have configured to not apply to the administrators group
> by selecting
> > Group Policy/properties/security and give deny permissions to the
> administrators
> > group for apply policy. See the link below for more details. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
> >
> >
> > "Steve" <ste@nospam.com> wrote in message
> > news:uIFe4H6%23DHA.3220@TK2MSFTNGP10.phx.gbl...
> > > Hi NG,
> > >
> > > When I log into one of my servers as the domain administrator, the
> > > administrator is locked down the same way as any of my domain users
are
> > > locked down by a group policy I have applied to the domain.
> > >
> > > The group policy has not been applied to any organisational units that
> > > contain the server or the administrator so I ran the GPRESULT.exe tool
> from
> > > the windows 2000 resource kit to see if this could tell me what group
> > > policies have neen applied and although the session is locked down it
> > > doesn't display any GP's that could have been applied (domain user
> policy
> > > hasn't been applied)
> > >
> > > any ideas I am stumped
> > >
> > > Thanks in advance
> > >
> > > Steve
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: administrator locked out of SBS 2003
    ... Try to logon to the console using this account. ... see which groups the administrator is a member of and post back ... Even the VMware KB's as I've all ready discovered the server V2.0 ... so I deleted the policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: Big Problem w/ Admin accounts locked out
    ... Legitimatly this is called "Domain Administrator Password Recovery". ... but it actually appears that Server 2003 DCs ... using remote desktop with a power user account. ... account (which has Domain Admin rights) to Server ...
    (microsoft.public.windows.server.sbs)
  • Re: GP loopback processing on Windows 2003 terminal service, strange problem!
    ... You should not have to go through all that to get the policy to work ... Check that your other W2003 Server points ONLY to the domain controller ... > any other GP's then logging on to the TS server. ... > is not local administrator on this TS server? ...
    (microsoft.public.windows.group_policy)
  • Re: administrator locked out of SBS 2003
    ... enterprise admins ... group policy creator owners ... Other than lacking exchange administrator this is pretty much normal. ... Even the VMware KB's as I've all ready discovered the server V2.0 ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to login to SBS Server
    ... do you think it could be a group policy error/problem even ... Les Connor [SBS MVP] ... to resolve this issue & double checked that the administrator is ... We were asked to look at a SBS 2003 server & found that the ...
    (microsoft.public.windows.server.sbs)