Re: Locked out of Win2k Server
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/14/05
- Next message: KayZer Soze: "Re: How to limit the origin of NET SEND"
- Previous message: Roger Abell: "Re: Security on windows 2003"
- In reply to: [-=Dan=-]: "Re: Locked out of Win2k Server"
- Next in thread: [-=Dan=-]: "Re: Locked out of Win2k Server"
- Reply: [-=Dan=-]: "Re: Locked out of Win2k Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Feb 2005 08:21:07 -0700
When you joined the rebuilt machine to the domain it was
subjected to the Group Policy GPO's of the domain.
Those are what were causing your initial issue with the
first build - and those were likely the ones to which I did
point. Those GPO settings were still in effect ready to
configure the machine once it was joined.
In the future, I would suggest that you do not modify
GPO settings of your existing GPOs while learning.
Instead, define a new GPO linked to a restricted area,
such as an OU specifically defined for the testing and
into which you have moved the accounts and computers
to be used in the test. Then, modify policy settings in
the GPO defined for this testing.
That way, if things go completely wrong, you can either
unlink the GPO, or delete the GPO, or move the user
or computer object out of the OU, in order to reverse
the effect.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "[-=Dan=-]" <getbent@ease.com> wrote in message news:37bgj1F56v85nU1@individual.net... > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl... > >I have read all of your posts - twice > > and I am still unclear why everyone seems to think > > you are saying that you cannot log into any machine > > in the domain. I can see how what you have said > > could be interpreted as that way, but I can also see > > how you may be speaking only about logging into > > just that one member - which is the case? > > > > That you cannot log into the member server with either > > a domain or machine local account can be simply > > reversed by checking a few policies in whatever GPOs > > might have the member in their scope of application. > > Check especially, both in the computer settings tree of > > policies, 1) the User Right to Log on locally, and Deny > > local logon, and 2) the membership of any Restricted > > groups (if you have defined these) that might be used > > in the two User Right polices just mentioned. > > > Hi Roger, > > sorry for the confusion. My problem is that I can not logon onto the member > server with a domain or local account. I rebuilt the member server and it > was great, working fine, until I joined it to the domain. Ever since then, I > cannot logon to it locally *or* log into the domain from it. I've ran > dcpromo on the server to remove AD, and just reinstalled AD, hopefully to > get rid of any policies. Of course now, I still cannot logon to the member > machine. So now, I will rebuild said member server *again*. > > This will hopefull fix the problem, but what I don't understand is how this > has happened. I'm 99% sure that I didn't apply *any* of the 'Computer > configuration' settings in the policy, only the 'User configuration' ones. > > Thanks all for your help > > > Dan > >
- Next message: KayZer Soze: "Re: How to limit the origin of NET SEND"
- Previous message: Roger Abell: "Re: Security on windows 2003"
- In reply to: [-=Dan=-]: "Re: Locked out of Win2k Server"
- Next in thread: [-=Dan=-]: "Re: Locked out of Win2k Server"
- Reply: [-=Dan=-]: "Re: Locked out of Win2k Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
