Re: Loca Administrator "locked out"

What Mike originally suggested should work but I would also add users and/or
administrators to the logon locally user right in the GPO linked to the OU
where you moved the computer. If that is not working then you have a problem
with Group Policy applying for various reasons to that computer which may
show up as userenv errors/warnings in the application log that you should be
able to view remotely or while logged on as a regular user account. It may
also help to view the security logs on that computer to see what the failed
logons say and you can do that remotely via Computer Management - other
computer. If all fails what may work to undo a Local Security Policy user
right problem is to copy the \winnt\repair\security file to the
\winnt\system32\config folder after renaming the security file there first.
You would have to do that outside of the operating system by placing the
hard drive in another computer as a secondary/slave drive or booting with
something like Bart's PE. --- Steve

"OxygeN" <bonnyREMOVEfused@xxxxxxxxxxxxxx> wrote in message
Paul Adare ha scritto:

Sorry to contradict you here Mike, but this simply won't work. the Allow
and Deny Logon locally policies are cumulative which means both the local
settings and any domain based GPO settings are combined.

I noticed this behaviour, because I didn't get any positive results while
adding a "random" user to that policy: Administrator STILL can't logon.

Your suggestion later in this thread about logging on with an account
that is a member of Domain Admins should work, assuming that Domain
Admins is still a member or the local Administrators group and that is
indeed the account Administrator that has been denied the logon locally
right and not the Administrators group.

I'm sorry, but as I believe to have mentioned before: the SAD thing is
that no "Domain Admins" group is part of the local Administrators group..

I guess my only solution is to reinstall Win2k, or what do you think?