Re: Locked out of Win2k Server

From: Mark Gamache (mark.gamache_at_css-security.com)
Date: 02/11/05


Date: Fri, 11 Feb 2005 11:26:58 -0800

If you have a machine that is in a workgroup, but has the adminpack.msi
installed, so it can manage domains, you can login locally to it, and then
use Run As to connect to the domain and edit the GPO. This uses DCOM, if I
recall, none the less, you aren't logging in interactively.

-- 
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Don Wilwol" <wilwol@capital.net> wrote in message 
news:usNEKgGEFHA.624@TK2MSFTNGP09.phx.gbl...
> It sounds like you inadvertently set the policy on the default domain 
> policy, or you linked it to the domain and not the OU.
>
> Maybe somebody else has a magic cure. I don't think there is an easy fix.
>
> dw
>
> -- 
> Don Wilwol
> http://spaces.msn.com/members/wilwol/
>
>
> "[-=Dan=-]" <getbent@ease.com> wrote in message 
> news:3746bpF59esocU1@individual.net...
>> "Don Wilwol" <wilwol@capital.net> wrote in message 
>> news:OWd$WTEEFHA.1496@TK2MSFTNGP14.phx.gbl...
>>> I'm not sure I fully understand. You can not log onto the domain from 
>>> anywhere, or just from the one server. If you can get to the policy, you 
>>> should be able to undo your mistake. If you can log on from anywhere, I 
>>> had a colleague that had a customer do the same thing. I found this hack 
>>> for him. We never got to try it, they wound up restoring AD from backup, 
>>> but if its the last hope!
>>> http://www.commodore.ca/windows/undo_group_policy.htm
>>>
>>>
>>> good luck
>>>
>>> dw
>>>
>> The strangest thing. I just rebuilt the member server, did all the 
>> windows updates, installed AVG software. Runs ok. As soon as I join it 
>> onto the domain, when I reboot I cannot log into the domain, or locally. 
>> Get the same message. How can a user policy that I applied to an OU that 
>> contains one user, be applied to this server? I'm well stumped. I don't 
>> want to rebuild both servers....
>>
>> Any thoughts *GREATLY* appreciated...
>>
>> Dan
>>
>
> 


Relevant Pages

  • Re: How to allow users to create groups and shares
    ... Add the user/group to the Computer configuration, windows settings, security settings, Local policies, "Allow logon locally" in the Default domain controllers policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... The domain controller for Group Policy operations is not available. ...
    (microsoft.public.win2000.active_directory)
  • Re: Security Logon/Logoff Events
    ... I haven't yet set password policy or configured account lockout policy so I ... will do that in due course to fully secure the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... OU and move the member server to so that it does not inherit it's GPO from ... policies from inheriting the default domain policies of the SBS ... section of the default domain policy. ... In direct answer to your question, you would need to filter this ...
    (microsoft.public.windows.server.sbs)