Re: Locked out of Win2k Server

From: Don Wilwol (donwilwol_at_yahoo.com)
Date: 02/14/05 

Date: Mon, 14 Feb 2005 13:32:27 -0500

Dan
If you haven't already done so, download the group policy management console
(GPMC.msi) and use it. It gives some nice planning capabilities. 

-- 
Hope it helps...........
dw
Don Wilwol
Blog - http://spaces.msn.com/members/wilwol/
Web - http://capital.net/~wilwol/dw.htm
DonWilwol@yahoo.com
"[-=Dan=-]" <getbent@ease.com> wrote in message 
news:37c622F59517kU1@individual.net...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message 
> news:Osp1hhqEFHA.1264@TK2MSFTNGP12.phx.gbl...
>> When you joined the rebuilt machine to the domain it was
>> subjected to the Group Policy GPO's of the domain.
>> Those are what were causing your initial issue with the
>> first build - and those were likely the ones to which I did
>> point.  Those GPO settings were still in effect ready to
>> configure the machine once it was joined.
>>
>> In the future, I would suggest that you do not modify
>> GPO settings of your existing GPOs while learning.
>> Instead, define a new GPO linked to a restricted area,
>> such as an OU specifically defined for the testing and
>> into which you have moved the accounts and computers
>> to be used in the test.  Then, modify policy settings in
>> the GPO defined for this testing.
>> That way, if things go completely wrong, you can either
>> unlink the GPO, or delete the GPO, or move the user
>> or computer object out of the OU, in order to reverse
>> the effect.
>>
>> -- 
>> Roger Abell
>> Microsoft MVP (Windows  Security)
>> MCSE (W2k3,W2k,Nt4)  MCDBA
>> "[-=Dan=-]" <getbent@ease.com> wrote in message
>> news:37bgj1F56v85nU1@individual.net...
>>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>>> news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
>>> >I have read all of your posts - twice
>>> > and I am still unclear why everyone seems to think
>>> > you are saying that you cannot log into any machine
>>> > in the domain.  I can see how what you have said
>>> > could be interpreted as that way, but I can also see
>>> > how you may be speaking only about logging into
>>> > just that one member - which is the case?
>>> >
>>> > That you cannot log into the member server with either
>>> > a domain or machine local account can be simply
>>> > reversed by checking a few policies in whatever GPOs
>>> > might have the member in their scope of application.
>>> > Check especially, both in the computer settings tree of
>>> > policies, 1) the User Right to Log on locally, and Deny
>>> > local logon, and 2) the membership of any Restricted
>>> > groups (if you have defined these) that might be used
>>> > in the two User Right polices just mentioned.
>>> >
>>> Hi Roger,
>>>
>>> sorry for the confusion. My problem is that I can not logon onto the
>> member
>>> server with a domain or local account. I rebuilt the member server and 
>>> it
>>> was great, working fine, until I joined it to the domain. Ever since 
>>> then,
>> I
>>> cannot logon to it locally *or* log into the domain from it. I've ran
>>> dcpromo on the server to remove AD, and just reinstalled AD, hopefully 
>>> to
>>> get rid of any policies. Of course now, I still cannot logon to the 
>>> member
>>> machine. So now, I will rebuild said member server *again*.
>>>
>>> This will hopefull fix the problem, but what I don't understand is how
>> this
>>> has happened. I'm 99% sure that I didn't apply *any* of the 'Computer
>>> configuration' settings in the policy, only the 'User configuration' 
>>> ones.
>>>
>>> Thanks all for your help
>>>
>>>
>>> Dan
>>>
>>>
>>
> Hi Roger,
>
> thanks for your reply. The strange thing is, I did create a new OU with 
> just the one user in for my policy testing. I'm 99.9% sure that I didn't 
> modify the default domain policy, unless someone else did it when I wasn't 
> watching!
>
> I've rebuilt the member after uninstalling/reinstalling AD on the domain 
> controller, and am gingerly modifying my policy on the new OU!
>
> Thanks again
>
> Dan
>

Relevant Pages

  • Re: Termserv loses security settings each night
    ... It is a member server in a single-domain forest. ... Domain Security Policy might be the key - see below. ... By default, members of the Remote ... I got it working today by adding a GPO ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Locked out of Win2k Server
    ... GPO settings of your existing GPOs while learning. ... >> That you cannot log into the member server with either ...
    (microsoft.public.windows.server.security)
  • Re: Exchange OWA 2003 Trusted Root Certificate
    ... > So you're going to explain to me how Group Policy works now? ... When I say Policy, I mean it in a broad sense, I am referring to the GPO, ... which as you admitted defaults to "apply" to the Authenticated Users. ... > One cannot be a member of a GPO. ...
    (microsoft.public.win2000.security)
  • Re: Managing administrative rights in a Multiple Domain Forest enviornment
    ... Use the Restricted Groups option in the GPO settings. ... > Administrators" group on each member server of the child domain. ...
    (microsoft.public.windows.server.active_directory)
  • GPO Failures on Member Servers
    ... In one of our domains I have member servers failing GPO updates and the ... We had this on the domain controller as well, ... But to be sure I applied a hisecws template to the local policy, ... THe member server still gets this error that only makes sense ...
    (microsoft.public.windows.group_policy)