Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER

Thanks Roger - OK - just finished a second windows server installation to
another folder on C Drive WINNT2..

Guess the next step is to restore the system state from the tape back to the
original WINNT folder?

Will try this and see if she boots up in the first installation....

Will keep you posted...

Blessings and thanks again...

WW7

John 14:6
Jesus saith unto him, I am the way, the truth, and the life: no man cometh
unto the Father, but by me.




"Roger Abell [MVP]" wrote:

So then the policy is disallowing all login by all users at all machines ?
The remote tools would need to be run with a recognized domain
account having admin priv in order to edit the group pollicy objects.
That pretty much makes running from a CD boot not an option.
I had thought that with Windows 2000 one could not block the
built-in Administrator account from being able to log in (while in
Windows Server 2003 one can, but not from a safe mode boot).
The built-in Administrator account may have been renamed, but
if you know what the account is then perhaps this will give you
a route to log in.

"West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A5E710B2-AC12-4172-B770-9BBD2906545F@xxxxxxxxxxxxxxxx
Thank you and Bless you Roger for your time in answering - VERY much
appreciated.

Will soon attempt your suggestion if we can access the Server from the
workstation.
(last message denied access to the server from the workstation - the WKSTN
boots up on cached profile only) The interactive logon problem has applied
to
ALL users in the Domain.

Yes - it is very possible we are at a pre-DC state on the server after the
manual security reset.

Yes - we have a very recent back up of the system state, but how do we
logon
to use the tape deck (Dell SCSI) ??

Worst case Roger, can we use the tools suggested from a CD Rom or floppy
boot?

God Bless you again and thank you again....

Take care -

WW7

"Roger Abell [MVP]" wrote:

The message is refering to the effective policy.
The setting could originate anywhere.
NTrights pokes the effective setting and gives you on a DC
a 5 minute window to log in. You need to find which GPO
this was set in and change it back.
If you need, you can define a temp GPO linked onto the DC OU
at highest priority that sets a value of Administrators as having the
log on local user right in order to not hassle with things while finding
and changing back what had been set accidentally.

However, you now have other issues due to the effort with resetting
the security. I am not quite sure where things are at for you now
since that probable tweaked things back to pre-domain controller
config. Can you install the adminpak.msi (www.microsoft.com/downloads)
on a machine in the domain and use the mmc tools to get at the config
of the domain remotely ?? Also grab GPMC while you are at downloads.

If you had not tried the reset we could have pulled you out of this, per
the
comments of the opening paragraphs and remote tools. With the reset
attempted I do not know. How far did things get and what happened??
The best chance at this point may be if you have a recent valid full
backup
of the system state so that an authoritative restore could be done.

Hopefully others reading this have some ideas . . .


It is sometimes useful to disallow admins local login.
That can be a valid and desirable deployment.
MS cannot anticipate what is unlikely a useful configuration and
make the settings for same impossible, although in a very few
cases they have, since as soon as it is said "that is not a valid
thing to do" a situation comes along in which it is.
That said, it is possible, and I have seen, Domain Admins completely
locked out from all ability to log into or manage their forest. Sort of
foolish, to do and to allow to be done, but I guess it is a case of at
what point do you allow and disallow.

"West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:88C35619-1C73-4095-8E11-949155242A39@xxxxxxxxxxxxxxxx
Thanks Roger - The error message says the LOCAL POLICY..But it is true
that
the Domain Policy was edited but NOT the logon rights for any user.

Used NTRIGHTS over the network, and that fixed it once. BUT, each time
i
(Administator) logged on the same problem came back.

So, i followed the MS instructions to manually edit the inf and ini
security
files to reset everything back to default.

Still the same error message. NOW, NTRIGHTS will not work - so network
access is not an option.

We are a small 2 pc design Company also enagaged in Christian
Evangelism.

It looks like i must install another copy of the OS in a separate
folder
and
boot up through that, and then manually edit the files.

Unless you can think of another way??

REGARDING your comment : > If there were a simple way to reset
everything
when the system
believes you are not entitled to do so it would not be a very
well planned system design now would it ?

WHY WOULD THE SYSTEM DENY THE ADMINISTRATOR LOGON RIGHTS???

If the Admin can't get in the system is useless.

Why would the system NOT warn an Admin that the changes made to the
policies
will PREVENT him from logging back on??

It is a conundrum, and having scoured the internet, multitudes of other
people have experienced this very same issue.

CONCLUSION : It is an MS flaw in the way the OS responds to Security
Policy
changes made by an Administrator who is NOT a Degree Holder in Computer
Science. The OS MUST tell the person, BEFORE the changes are absorbed,
that
doing so will LOCK THEM OUT OF THE SYSTEM...

It does not do that, otherwise i would NOT be in this mess.

If you have any other ideas of how to reset the security back to
default,
with ZERO Domain access we would ALL love to know,

Bless you Roger and thank you for your reply ... very much
appreciated...

In Christ and in Truth...

WW7



"Roger Abell [MVP]" wrote:

You have told us this is with Windows 2000 server.
However, your subject says Domain Controller, but your message
says the change was in the local security policy, which is not used
on domain controllers.

What is it that you modified ?? If it was only the Log on Locally
and/or the Deny log on locally policies, then just edit the GPO
remotely over network with a domain admin account and reverse
the changes.

If there were a simple way to reset everything when the system
believes you are not entitled to do so it would not be a very
well planned system design now would it ?


"West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8A59B55E-6062-429D-B146-F958EC25532B@xxxxxxxxxxxxxxxx
"The local policy of this system does not permit you to logon
interactively"

Hello Everyone - i made a small and insignificant change to the
local
security policy. NO ERROR MESSAGE, that i would be locked out of the
server,
and for this i am very upset with MS.

Anyhow, i CANNOT logon with ANY USER, not even the built in
Administrator
in
Directory Services Mode. This has been for over 10 days now. DO NOT
WANT
TO
LOSE the profiles.

Does ANYONE know of a floppy boot up program that will RE-SET all
Domain
Controller Security back to DEFAULT???

Re-setting the Password is not the issue.

How CAN all SECURITY be reset to default, via a boot-up floppy
program
to
allow logon normally again without this RIDICULOUS MESSAGE "The
local
policy
of this system does not permit you to logon interactively"

SURELY, there is a way to easily reset the security?

Hope someone can suggest something...

Thank you and God Bless you...

West-Wind-7














.

Relevant Pages

  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • RE: Logon Issue - could someone explain please
    ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ...
    (microsoft.public.windows.server.sbs)
  • Re: Unknown Domain user - domain authentication appears limited
    ... (using cached login). ... Microsoft MVP (Windows Server System: Security) ... > due to the following error: Logon failure: the user has not been granted ...
    (microsoft.public.windows.server.security)
  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... So then the policy is disallowing all login by all users at all machines? ... boots up on cached profile only) The interactive logon problem has applied ... manual security reset. ... If you had not tried the reset we could have pulled you out of this, ...
    (microsoft.public.win2000.security)
  • Re: Users no longer authenticate on W2k-svr
    ... Policy and go to security settings/local policies/user rights and make sure ... auditing of logon events on that server and then view the logs in Event Viewer ...
    (microsoft.public.win2000.networking)