Win 2k Logon Problem--local policy setting 1

[nywin2k]

As any true computer geek would be doing, I was fiddling around with Win 2K's settings (to enhance performance and security, of course) and now I can't log in to my system.

I receive the following error message when I try to log in:

"The local policy of this system does not permit you to log in interactively."

I tried logging in using safe mode, last known good configuration, and alternate logins (guest, backup, etc.) -- nothing works. I also tried using the Win2K installation CD and choosing the installation option to "Repair" the Win2K installation. I've tried logging in with accounts set up under different groups -- Administrators, Power Users, Users, Authenticated Users, Guests, Backup Operators (some the default accounts, others ones I created for family members to use my computer) and no dice.

I'm only able to get on-line as I'm on my sister's computer via a webmail interface (running Win_ME), which is set up on a network with my other computer but, of course, I can't access any drives on my own computer as Win_ME can't read NTFS. (Although I've since found other programs that will permit this.)

Basically, the system boots fine, and I get to the logon screen but, no matter what I do, I receive the same error message (above). I even tried to hook up my friend's notebook computer running Win_2K and connect to my computer over the local LAN but it wouldn't recognize the existence of my own computer (even if I specified the local IP, 198.168.....) Perhaps that's b/c his computer is from work and has all these other restrictions on it ... not sure.

In any event, any help anyone could provide would be much appreciated. Thanks!

 

[comfysofa]

Ive had this before.....cant remember exactly what it was - but firstly can you log in a local admin? if so then that would be the first hurdle over......from what i remember at the time i had to do a quick fix - (user getting short tempered) and backed up the profile, created another one and the problem was gone.....see if this helps

 

[nywin2k]

Can't logon, period -- that's the whole problem. =(

 

[wolluf]

You've set the local group policy which prohibits local logon to the machine! Presumably you must have prohibited all groups. If you can connect another 2k machine to it over the LAN (which can see it of course), you could run mmc and load the Local Group Policy snap-in for your machine & undo the changes you've made (assuming of course that you haven't also prohibited access to the machine from the network too! - which is quite possible as the 2 settings are very near each other). Its Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment if you can get in.

btw - you should be able to read your machine's filestore from ME machine over the network (filestore on the local machine is immaterial over a network) - presuming you have shared some resources and the 2k machine has an account set up with same credentials you log onto ME with.

PS. You may not be able to fix this - in which case you'll probably need to retrieve your data/settings so you can do a clean reinstall. Loading drive as slave in another machine or installing a parallel version of 2k (eg, to win2k instead of winnt - so doesn't overwrite existing) should give you access to your data.

 

[nywin2k]

I finally resolved the situation, without having either to re-install Windows or use the NTrights utility that's on the expensive MS2K Server Resources CD ... this is how I did it:

I booted the computer from the installation CD and opted for a "Repair" installation using the "Console" method. With that, I was able to backup the logon.scr to another filename (a simple RENAME command), delete logon.scr, and then COPY cmd.exe to logon.scr.

I rebooted, without the installation CD, and got to the same point as I had before. I waited, waited, waited, and finally, the command prompt appeared! Yippee!!!

At the command prompt, I figured out that I could launch the GUI by typing "EXPLORER". Once in explorer, I was able to go into the Settings | Control Panel | Administrative Tools | Local Security Policy. I tried to start the Local Security Policy from the GUI but it wouldn't work!

After a while, I figured out that none of the programs I tried to launch from the GUI shell would run; however, I was able to launch anything from the CLI (command prompt). So, I went back to Settings | Control Panel | Administrative Tools | Local Security Policy and this time RIGHT-clicked on it and selected PROPERTIES. I wanted to see what the command prompt was to run the program. I then copied the entire text from the TARGET line, and pasted it into the CLI. BOOM, it worked!

Once I had the Local Security Policy running, I was then able to un-do the changes that I did in the first place which prevented me from logging into my machine interactively. Once the changes were saved, I then shut down, rebooted, and voila, I was in!

I doubt very much that MS knows just how unsecure their products really are ...

 

[wolluf]

Very ingenious!

I've seen that logon.scr/cmd.exe trick mentioned before on these forums - you've put it to very good use.