How to access "Local security Setting" Remotly

[vijmat]

I have a user who installed something on his Windows 2000 Professional SP3 machine and now it will not allow anyone to log into the PC (neither local nor domain users). You can remotely access the drives and files. Looks like something got changed on the "Local Security Setting". Most probably it could be "Logon Locally" Policy, is what I feel (I could be wrong). It gives us the error "The local policy of the system does not permit you to logon interactively"

I am trying to access the "Local Security Setting" remotely and I don't know how. I have all security permissions on the box, it would not let anyone login.

I know, I can rebuild the PC and restore his data and got over this problem, but I would really like to know, how to get into the "Local security Setting" remotely

Please help

Viju Mathai

 

[vijmat]

We even tried sysprep. It did not touch the "Local Security Settings"

HELP

 

[arlems]

I believe you can. I have never done this before though, but I am familiar with Registry editing, therefore think that it can be done. Some experts might be able to help you further.

If you know what registry key is affected, you could remote connect to the registry of this PC by using Regedit or Regedt32.

I believe that "The local policy of the system does not permit you to logon interactively" is a registry setting, but I might be wrong. You would need to know which key and what value to insert.

Hopefully, someone who knows better this type of senarios and handling can help you.

 

[minxca]

Hi,

you can overide from domain policy

 

[mgooder]

If you are using Group Policy, logon to the DC, go to AD users and open up the OU that contains that user. Go to properties and edit the group policy. Under computer configuration go to Security Settings and then local policies then user rights assignments. Make sure "deny logon locally is set as "not defined" or "disabled"

Rico

 

[packdragon]

When you set up your GPO as suggested above, make sure that the problem computer is granted rights to the GPO or it will never get applied. You will also want to make a note of the policy refresh interval since you will be unable to log on locally and manually refresh it. By default it takes 90 minutes, so you may want to temporarily change it to something shorter. Here are instructions on how to do that:

http://support.microsoft.com/defaul...port/kb/articles/Q203/6/07.ASP&NoWebContent=1

Good luck!

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com

 

[vijmat]

I have tried all the above methods (registry and the GPO)and it is still not working.

 

[packdragon]

In looking at the suggestion for what the set in the GPO, I believe if a policy is left as Undefined, the local policy will be enforced. Make sure the "Deny" policy is Disabled. Also, you may also want to specify accounts in the "Log on locally" policy.

The other thing you'll want to verify is whether or not the GPO is actually being applied. Policies defined in the GPO should override local policies. After setting the policy, wait for the GPO's refresh interval. Check on a neighboring computer (preferably one that is in the same group as the problem computer) and see if the GPO has been applied. You can do this by looking at the Local Security Settings and comparing the Local Setting with the Effective Setting. See if your change appears.

-Zoe

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com

 

[vijmat]

I disabled the "Deny Logon Locally" and it worked. After getting in, I found out that the software had actually put "Deny Logon Locally" to everyone. Crazy software. By the way it was Symantec Enterprise ghost software which did it.

Thanks a lot for all your help.

Viju

 

[packdragon]

Crazy software indeed! Glad you got your problem solved. Thank goodness for GPOs!

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com