Re: Reset Group Policy back to out of the box default
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Aug 2006 16:08:54 -0500
My bad. Thanks for catching that. Yes I meant -r SeDenyInteractiveLogonRight
to make sure that those groups were not included in deny logon locally. If
you know exactly what security template he applied that could be helpful in
determining the problem with user rights. You also could try running dumpsec
which is free from SomarSoft to see what the user rights are on that
computer. If you have proper connectivity you should be able to dump those
from your PC under report - select computer.
Steve
http://www.somarsoft.com/ --- Dumpsec
"seh" <seh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:07C90807-79DD-4163-8920-6A9FF50F0ADF@xxxxxxxxxxxxxxxx
Steve,
Thanks for the info. I've tried the +r SeInteractive and -r SeDeny for
admin. I'll try it for all other groups as well. I'm assuming in your
response, for the -r it would be SeDenyInteractive...?
Thanks,
seh
"Steven L Umbach" wrote:
Assuming you have access to the server over the network as an
administrator
as evidenced by your ability to access and administrative share such as
C$
then NTRights should work. Keep in mind that the privilege you specify
with
NTRights is case sensitive which means that SeInteractiveLogonRight and
SeDenyInteractiveLogonRight need to be typed exactly as shown. Also the
server may need to be rebooted after changing user rights. I would try
giving everyone +r SeInteractiveLogonRight and then grant everyone,
users,
authenticated users, and administrators -r SeInteractiveLogonRight as any
user that is included in deny logon user right will not be allowed to
logon
even if they have allow user right. If none of that helps you could also
try
using psexec from SysInternals/Microsoft to access the command prompt on
the
locked out server and use secedit to reset user rights back to default
defined levels being sure to add areas / user_rights to the end of the
command as shown in the KB article below. If you don't specify /areas the
command will disable many critical services on Windows 2003.
Steve
http://www.sysinternals.com/Utilities/PsExec.html --- psexec
http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
"seh" <seh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3F164A77-572A-4BD6-8DBD-9B9F56D8CAAC@xxxxxxxxxxxxxxxx
Does anyone know how to reset the policy settings back to the default
out
of
the box settings? We had a "power user" decide he needed to update his
stand
alone server with member server updates. Now everyone is locked out
and
unable to log in. I can map a drive to the box and connect to the box
w/
mmc. I've ran ntrights to add LogonRights, but it still fails. It
cycles
between to errors, Policy doesn't allow you to log on locally and Not
in
the
Allow Remote Login.
Any suggestions?
Thanks,
seh
.
- References:
- Re: Reset Group Policy back to out of the box default
- From: Steven L Umbach
- Re: Reset Group Policy back to out of the box default
- Prev by Date: Re: Reset Group Policy back to out of the box default
- Next by Date: Re: where is client certificate on server usually installed?
- Previous by thread: Re: Reset Group Policy back to out of the box default
- Next by thread: Re: Reset Group Policy back to out of the box default
- Index(es):
Relevant Pages
|
