Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER

Well, WW7, this old-time buddhist wishes you luck in your efforts.
Roger

"West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3D2FC215-0783-4D36-B3AC-80CA7398BF57@xxxxxxxxxxxxxxxx
Hi Roger - as we Say - PRAISE THE LORD...

After installing a parallel copy of WIN2K SERVER, have obtained
Administrator access in Directory Services Restore Safe Mode.

This was achieved by renaming the secedit.sdb file (whilst in the second
installation) to secedit.old_sdb and then COPYING the new secedit.sdb file
into the security/database folder. This reset the local policy back to
default, allowing the logon - Amen

Not out of the woods yet as i have to NOW get into the Forest <laughter>

Still, with time and patience, may be able to get things stable again in the
Domain - Amen

Either way, i DO believe that MS has a LONG way to go to make their OS more
stable and user friendly - they need to WRITE a program CALLED
"Administrator" that monitors EVERYTHING the Admin is doing, AND WARNS in
"friendly language" - DON'T DO THAT - YOU WILL LOCK YOURSELF OUT OF THE
SYSTEM.

Amen

If you don't yet known Christ JESUS as your Lord and Saviour - PLEASE -
start this process here : http://www.Constellation7.org and
http://www.Constellation7.org/Salvation/Salvation.doc

This is more important than "saving" an OS; this Saves your soul from the
wrath of God yet to come, on the ungodly and the wicked, through the Prayer
of Faith to allow YOU The Full Water Baptism and The Baptism of The Holy
Ghost in the Holy Name of JESUS CHRIST - King of kings and Lord of lords.

YES - it is ALL True - The Holy King James Bible - EVERY WORD - Amen

There is Heaven, Earth and Hell....

Be sure of Heaven with the Prayer and Follow On - Amen
http://www.Constellation7.org/Salvation/Salvation.doc

The Prophetic Parallel is similar to "Server" language - Every man needs an
UPGRADE to his OS to get rid of all the bugs that were programmed in from the
ORIGIN - (Genesis) - So that the Curse of Sin can be OVERCOME...

The Master Administrator for this is INDEED The Holy Lord JESUS CHRIST - Amen

Take this "on board" and May God Lead you and Bless you always in His Holy
Love and Truth - Praises !!!!

Peace - WW7



"Roger Abell [MVP]" wrote:

Actually system state can only be restored into the running system.
I am not sure what all was done, when attempting the reset, but that
would write onto the local machine, both filesystem and registry.
As such, a restore onto the other boots files would not include
changing the registry settings back (part of system state).

I am at a lack of info as to what does happen when attempting
access to the other system. Hence do not know if it is a relatively
healthy DC with policy issues in the way, or an unhealthy DC.


"West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C6762EBF-EDFA-4BC7-8995-D95AA4A163A5@xxxxxxxxxxxxxxxx
> Thanks Roger - OK - just finished a second windows server installation > to
> another folder on C Drive WINNT2..
>
> Guess the next step is to restore the system state from the tape back > to
> the
> original WINNT folder?
>
> Will try this and see if she boots up in the first installation....
>
> Will keep you posted...
>
> Blessings and thanks again...
>
> WW7
>
> John 14:6
> Jesus saith unto him, I am the way, the truth, and the life: no man > cometh
> unto the Father, but by me.
>
>
>
>
> "Roger Abell [MVP]" wrote:
>
>> So then the policy is disallowing all login by all users at all >> machines
>> ?
>> The remote tools would need to be run with a recognized domain
>> account having admin priv in order to edit the group pollicy objects.
>> That pretty much makes running from a CD boot not an option.
>> I had thought that with Windows 2000 one could not block the
>> built-in Administrator account from being able to log in (while in
>> Windows Server 2003 one can, but not from a safe mode boot).
>> The built-in Administrator account may have been renamed, but
>> if you know what the account is then perhaps this will give you
>> a route to log in.
>>
>> "West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:A5E710B2-AC12-4172-B770-9BBD2906545F@xxxxxxxxxxxxxxxx
>> > Thank you and Bless you Roger for your time in answering - VERY much
>> > appreciated.
>> >
>> > Will soon attempt your suggestion if we can access the Server from >> > the
>> > workstation.
>> > (last message denied access to the server from the workstation - the
>> > WKSTN
>> > boots up on cached profile only) The interactive logon problem has
>> > applied
>> > to
>> > ALL users in the Domain.
>> >
>> > Yes - it is very possible we are at a pre-DC state on the server >> > after
>> > the
>> > manual security reset.
>> >
>> > Yes - we have a very recent back up of the system state, but how do >> > we
>> > logon
>> > to use the tape deck (Dell SCSI) ??
>> >
>> > Worst case Roger, can we use the tools suggested from a CD Rom or
>> > floppy
>> > boot?
>> >
>> > God Bless you again and thank you again....
>> >
>> > Take care -
>> >
>> > WW7
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> >> The message is refering to the effective policy.
>> >> The setting could originate anywhere.
>> >> NTrights pokes the effective setting and gives you on a DC
>> >> a 5 minute window to log in. You need to find which GPO
>> >> this was set in and change it back.
>> >> If you need, you can define a temp GPO linked onto the DC OU
>> >> at highest priority that sets a value of Administrators as having >> >> the
>> >> log on local user right in order to not hassle with things while
>> >> finding
>> >> and changing back what had been set accidentally.
>> >>
>> >> However, you now have other issues due to the effort with resetting
>> >> the security. I am not quite sure where things are at for you now
>> >> since that probable tweaked things back to pre-domain controller
>> >> config. Can you install the adminpak.msi
>> >> (www.microsoft.com/downloads)
>> >> on a machine in the domain and use the mmc tools to get at the >> >> config
>> >> of the domain remotely ?? Also grab GPMC while you are at >> >> downloads.
>> >>
>> >> If you had not tried the reset we could have pulled you out of >> >> this,
>> >> per
>> >> the
>> >> comments of the opening paragraphs and remote tools. With the >> >> reset
>> >> attempted I do not know. How far did things get and what >> >> happened??
>> >> The best chance at this point may be if you have a recent valid >> >> full
>> >> backup
>> >> of the system state so that an authoritative restore could be done.
>> >>
>> >> Hopefully others reading this have some ideas . . .
>> >>
>> >>
>> >> It is sometimes useful to disallow admins local login.
>> >> That can be a valid and desirable deployment.
>> >> MS cannot anticipate what is unlikely a useful configuration and
>> >> make the settings for same impossible, although in a very few
>> >> cases they have, since as soon as it is said "that is not a valid
>> >> thing to do" a situation comes along in which it is.
>> >> That said, it is possible, and I have seen, Domain Admins >> >> completely
>> >> locked out from all ability to log into or manage their forest. >> >> Sort
>> >> of
>> >> foolish, to do and to allow to be done, but I guess it is a case of >> >> at
>> >> what point do you allow and disallow.
>> >>
>> >> "West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in >> >> message
>> >> news:88C35619-1C73-4095-8E11-949155242A39@xxxxxxxxxxxxxxxx
>> >> > Thanks Roger - The error message says the LOCAL POLICY..But it is
>> >> > true
>> >> > that
>> >> > the Domain Policy was edited but NOT the logon rights for any >> >> > user.
>> >> >
>> >> > Used NTRIGHTS over the network, and that fixed it once. BUT, each
>> >> > time
>> >> > i
>> >> > (Administator) logged on the same problem came back.
>> >> >
>> >> > So, i followed the MS instructions to manually edit the inf and >> >> > ini
>> >> > security
>> >> > files to reset everything back to default.
>> >> >
>> >> > Still the same error message. NOW, NTRIGHTS will not work - so
>> >> > network
>> >> > access is not an option.
>> >> >
>> >> > We are a small 2 pc design Company also enagaged in Christian
>> >> > Evangelism.
>> >> >
>> >> > It looks like i must install another copy of the OS in a separate
>> >> > folder
>> >> > and
>> >> > boot up through that, and then manually edit the files.
>> >> >
>> >> > Unless you can think of another way??
>> >> >
>> >> > REGARDING your comment : > If there were a simple way to reset
>> >> > everything
>> >> > when the system
>> >> >> believes you are not entitled to do so it would not be a very
>> >> >> well planned system design now would it ?
>> >> >
>> >> > WHY WOULD THE SYSTEM DENY THE ADMINISTRATOR LOGON RIGHTS???
>> >> >
>> >> > If the Admin can't get in the system is useless.
>> >> >
>> >> > Why would the system NOT warn an Admin that the changes made to >> >> > the
>> >> > policies
>> >> > will PREVENT him from logging back on??
>> >> >
>> >> > It is a conundrum, and having scoured the internet, multitudes of
>> >> > other
>> >> > people have experienced this very same issue.
>> >> >
>> >> > CONCLUSION : It is an MS flaw in the way the OS responds to >> >> > Security
>> >> > Policy
>> >> > changes made by an Administrator who is NOT a Degree Holder in
>> >> > Computer
>> >> > Science. The OS MUST tell the person, BEFORE the changes are
>> >> > absorbed,
>> >> > that
>> >> > doing so will LOCK THEM OUT OF THE SYSTEM...
>> >> >
>> >> > It does not do that, otherwise i would NOT be in this mess.
>> >> >
>> >> > If you have any other ideas of how to reset the security back to
>> >> > default,
>> >> > with ZERO Domain access we would ALL love to know,
>> >> >
>> >> > Bless you Roger and thank you for your reply ... very much
>> >> > appreciated...
>> >> >
>> >> > In Christ and in Truth...
>> >> >
>> >> > WW7
>> >> >
>> >> >
>> >> >
>> >> > "Roger Abell [MVP]" wrote:
>> >> >
>> >> >> You have told us this is with Windows 2000 server.
>> >> >> However, your subject says Domain Controller, but your message
>> >> >> says the change was in the local security policy, which is not >> >> >> used
>> >> >> on domain controllers.
>> >> >>
>> >> >> What is it that you modified ?? If it was only the Log on >> >> >> Locally
>> >> >> and/or the Deny log on locally policies, then just edit the GPO
>> >> >> remotely over network with a domain admin account and reverse
>> >> >> the changes.
>> >> >>
>> >> >> If there were a simple way to reset everything when the system
>> >> >> believes you are not entitled to do so it would not be a very
>> >> >> well planned system design now would it ?
>> >> >>
>> >> >>
>> >> >> "West-Wind-7" <WestWind7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> >> message
>> >> >> news:8A59B55E-6062-429D-B146-F958EC25532B@xxxxxxxxxxxxxxxx
>> >> >> > "The local policy of this system does not permit you to logon
>> >> >> > interactively"
>> >> >> >
>> >> >> > Hello Everyone - i made a small and insignificant change to >> >> >> > the
>> >> >> > local
>> >> >> > security policy. NO ERROR MESSAGE, that i would be locked out >> >> >> > of
>> >> >> > the
>> >> >> > server,
>> >> >> > and for this i am very upset with MS.
>> >> >> >
>> >> >> > Anyhow, i CANNOT logon with ANY USER, not even the built in
>> >> >> > Administrator
>> >> >> > in
>> >> >> > Directory Services Mode. This has been for over 10 days now. >> >> >> > DO
>> >> >> > NOT
>> >> >> > WANT
>> >> >> > TO
>> >> >> > LOSE the profiles.
>> >> >> >
>> >> >> > Does ANYONE know of a floppy boot up program that will RE-SET >> >> >> > all
>> >> >> > Domain
>> >> >> > Controller Security back to DEFAULT???
>> >> >> >
>> >> >> > Re-setting the Password is not the issue.
>> >> >> >
>> >> >> > How CAN all SECURITY be reset to default, via a boot-up floppy
>> >> >> > program
>> >> >> > to
>> >> >> > allow logon normally again without this RIDICULOUS MESSAGE >> >> >> > "The
>> >> >> > local
>> >> >> > policy
>> >> >> > of this system does not permit you to logon interactively"
>> >> >> >
>> >> >> > SURELY, there is a way to easily reset the security?
>> >> >> >
>> >> >> > Hope someone can suggest something...
>> >> >> >
>> >> >> > Thank you and God Bless you...
>> >> >> >
>> >> >> > West-Wind-7
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>





.

Relevant Pages

  • RE: installation error at server application installation
    ... This issue may be cause if there are some errors with the administrator ... Under Component Selection, set Server Tools to ... Microsoft CSS Online Newsgroup Support ... installation error at server application installation ...
    (microsoft.public.windows.server.sbs)
  • Re: Trouble Launching Apps
    ... overs from the previous installation, in HKLM and the shadow area, ... Administrator account (or deleting the existing user profile of the ... MCSE, CCEA, Microsoft MVP - Terminal Server ... users, regardless if they also installed the app, can access it. ...
    (microsoft.public.windows.terminal_services)
  • Re: ActiveX is installed but runs only for Administrator
    ... My application runs only for the Administrator who installed the ... Some applications create HKEY_CURRENT_USER registry settings the ... installation, and WHILE THE SERVER IS STILL IN INSTALL MODE. ...
    (microsoft.public.windows.terminal_services)
  • Re: Adobe Acrobat 7 on TS
    ... My standard procedure after each installation is to put the server ... Since you probably already have run Acrobat as Administrator, ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.win2000.termserv.apps)
  • RE: Cant set Local Security policies. They fail to save
    ... I followed your instructions on applying the predefined security templates. ... I still can’t set any of the local security policies on the server box. ... > using local Administrator account to test, ... >>> member of either the Remote Operators group or the Domain Power Users ...
    (microsoft.public.windows.server.sbs)