Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Local Logon for Administrator Account

Status
Not open for further replies.
apexkid22

apexkid22

MIS
Aug 25, 2002
4
0
0
US
Hello,

I have a Windows 2000 Adv Server machine that was initially setup to deny local logon to administrators. I am now unable to connect to the domain using the administrator account. I am getting the error message that I am unable to logon interactively with the local security policy.

I am not sure as to why I am unable to access my domain, can anyone offer suggestions to what may be going on or any process I can take in order to get around this dilema?

All Help Appreciated !!

Charles
 
Sort by date Sort by votes
The setting for "Logon locally" you can find it in local policy. So, try to log on with a user with administrative rights, and change the local policy.
If that policy change is coming from the AD were the system belongs then check the Group policy from AD structure (check the OU one, domain,...).
Also you can force that setting using Group Policy in your OU or domain.

Success! Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5
 
Upvote 0 Downvote
First of all thank you very much to your response to my situation. My problem continues with the fact that I am totally locked out of this machine. All of the accounts with administrator rights including the administrator are unable to access this machine. When attempting to do so
I am getting the message that due to the local security policy you are unable to logon interactively.

I am not sure what could have happened to cause this situation? I can still access the files from this server accross the network from other computers . . .just not the domain controller computer. Could the domain be down?

What suggestions do you have with this in mind ... I cannot stand the thought of having to reinstall and start over?

Charles
 
Upvote 0 Downvote
Have you tried logging on as a user without admin rites, like guests? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
[yinyang]

"Patience is more powerful than force."
Plutarch (46-125 A.D.);
 
Upvote 0 Downvote
Glen,

Yes I have tried all kinds of accounts. The server was setup to prevent Domain Users from logging in and the Guest Account was disable by the machine in a security check. All accounts have been tested with no luck as of yet.

What is the worst case seceniaro here?
 
Upvote 0 Downvote
Glen,

Yes I have tried all kinds of accounts. The server was setup to prevent Domain Users from logging in and the Guest Account was disable by the machine in a security check. All accounts have been tested with no luck as of yet.

What is the worst case seceniaro here?
 
Upvote 0 Downvote
try going to or do a google search for your problem. I looked there breifly, but didn't see anything. I know I've seen this problem listed in this forum in the past, I just can't remember the solution. Anybody remember? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
[yinyang]

"Patience is more powerful than force."
Plutarch (46-125 A.D.);
 
Upvote 0 Downvote
Are you trying to logon to the server locally or from another machine in the domain?
 
Upvote 0 Downvote
I have found a possible solution to correct my problems. Ths solution instructs me to use the NTRights.exe program from the MS Windows 2000 Resource Kit. Is this something that I already have with the setup disks or is this a third-part program?

It instructs me to perform the following procedure, syntax: (what does syntax mean? is this done from the Run Command or DOS Prompt for another machine)

ntrights -m \\computer -u group or user to remove -r SeDenyInteractiveLogonRight

Can anyone help with step by step instructions?

Hopefully I am getting somewhere!!

Charles
 
Upvote 0 Downvote
'Syntax' is simply the structure and use of the command. So to give local logon rights to a user called apexkid22 on computer Server1, you would type the following on the command prompt from another machine. NB You need to be an admin to run this tool.

ntrights -m \\Server1 -u apexkid22 -r SeDenyInteractiveLogonRight

If it is a domain account you might need to include that in the username (ie domain\apexkid22).

NTRights.exe comes from the Resource Kit, which is not included with standard W2K distribution, (I don't think!) You may be able to find a copy on the internet if you do not have it.
 
Upvote 0 Downvote
Another idea...(NB I have not tried this, so don't blame me if it all goes wrong!!)

The secutity policy is kept in %systemroot%\Security\Database\secedit.sdb.

If you can access the machine remotely (ie from another machine) then you could try to rename that file to secedit.sd_ and replace it with one from a server that you can log into. (NB make you you replce it with a file from a machine running the same version of windows, eg Adv Server to Adv Server). Then reboot and see what happens!

Personally I would try using Ntrights before this!
 
Upvote 0 Downvote
Hi,


Try this. Normally using an administrator account there shouldb be possible to manage the registry settings remote.
So, do the following:
launch mmc / console / add remove snapin / group policy / group policy object /browse / select your server

The group policy from that server will be load

Go to local policies / user rights assignment

check:
deny logon locally
log on locally
Don't forget to check also the OU or Domain level GPOs. Those will overwrite your local settings!

Tell me the results.
Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5
 
Upvote 0 Downvote
I know little about server as I am a desktop support technician. However, I found this utility that allows you to boot from a floppy and change passwords on any NT based system including NTFS partitions. At least you can change passwords on any account on computer and gain access. Good luck!

 
Upvote 0 Downvote
How about if you were to restore Active Directory to a time prior to the GPO being created and executed. That might work easier.
 
Upvote 0 Downvote
why dont you try a restart and LAst Known Good Configuration? A+, MCP, CCNA
marbinpr@hotmail.com

Keep fighting for your knowledge!

 
Upvote 0 Downvote
Last good configuration won't do anything since the server didn't crash and corrupt the registry/active directory.
 
Upvote 0 Downvote
Your right...As he was able to log in when the changes were made, LKGC wont do anything at this point..
One thing you could do is to know what registry key and values are modified when you make the changes to that particular policy (Deny local log on). Then boot into Restore mode, and modify the value of the registry using regedit from the Console. A+, MCP, CCNA
marbinpr@hotmail.com

Keep fighting for your knowledge!

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
103
gbaughma
gbaughma
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
75
hairlessupportmonkey
hairlessupportmonkey
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
128
goombawaho
goombawaho
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
133
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top