| Author |
Message |
[-=Dan=-]
Guest
|
 Posted:
Fri Feb 11, 2005 7:56 pm Post subject:
Locked out of Win2k Server |
|
|
Hi all,
I have a Windows 2000 server as a member server of a Windows 2000 AD Domain.
I've been messing with policies of an OU on the domain controller, trying to
lock down a desktop. Now, I can't logon to my member server, either through
TS or at the console, I get 'The local policy of this system does not permit
you to logon interactively". I can't logon to the local machine, even using
the Administrator account. And I can't logon to the domain, again using the
Administrator account.
I'm well and truly knobbed off.
Does anyone have any ideas before I rebuild this server?
TIA
Dan |
|
| Back to top |
|
 |
Don Wilwol
Guest
|
| Posted:
Fri Feb 11, 2005 8:20 pm Post subject:
Re: Locked out of Win2k Server |
|
|
I'm not sure I fully understand. You can not log onto the domain from
anywhere, or just from the one server. If you can get to the policy, you
should be able to undo your mistake. If you can log on from anywhere, I had
a colleague that had a customer do the same thing. I found this hack for
him. We never got to try it, they wound up restoring AD from backup, but if
its the last hope!
http://www.commodore.ca/windows/undo_group_policy.htm
good luck
dw
--
Don Wilwol
http://spaces.msn.com/members/wilwol/
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373rt9F57bv0pU1@individual.net...
| Quote: | Hi all,
I have a Windows 2000 server as a member server of a Windows 2000 AD
Domain. I've been messing with policies of an OU on the domain controller,
trying to lock down a desktop. Now, I can't logon to my member server,
either through TS or at the console, I get 'The local policy of this
system does not permit you to logon interactively". I can't logon to the
local machine, even using the Administrator account. And I can't logon to
the domain, again using the Administrator account.
I'm well and truly knobbed off.
Does anyone have any ideas before I rebuild this server?
TIA
Dan
|
|
|
| Back to top |
|
|
[-=Dan=-]
Guest
|
| Posted:
Fri Feb 11, 2005 8:33 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"Don Wilwol" <wilwol@capital.net> wrote in message
news:OWd$WTEEFHA.1496@TK2MSFTNGP14.phx.gbl...
| Quote: | I'm not sure I fully understand. You can not log onto the domain from
anywhere, or just from the one server. If you can get to the policy, you
should be able to undo your mistake. If you can log on from anywhere, I
had a colleague that had a customer do the same thing. I found this hack
for him. We never got to try it, they wound up restoring AD from backup,
but if its the last hope!
http://www.commodore.ca/windows/undo_group_policy.htm
Hi Don, |
thanks for your reply, sorry If my message was confusing. Basically, we can
forget the domain completely here. I can't even log on to the machine
locally. It's here right in front of me, and I can't login as administrator
to the machine itself, let alone the domain!
Dan |
|
| Back to top |
|
|
[-=Dan=-]
Guest
|
| Posted:
Fri Feb 11, 2005 8:51 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373u2cF587thdU1@individual.net...
| Quote: |
"Don Wilwol" <wilwol@capital.net> wrote in message
news:OWd$WTEEFHA.1496@TK2MSFTNGP14.phx.gbl...
I'm not sure I fully understand. You can not log onto the domain from
anywhere, or just from the one server. If you can get to the policy, you
should be able to undo your mistake. If you can log on from anywhere, I
had a colleague that had a customer do the same thing. I found this hack
for him. We never got to try it, they wound up restoring AD from backup,
but if its the last hope!
http://www.commodore.ca/windows/undo_group_policy.htm
Hi Don,
thanks for your reply, sorry If my message was confusing. Basically, we
can forget the domain completely here. I can't even log on to the machine
locally. It's here right in front of me, and I can't login as
administrator to the machine itself, let alone the domain!
Dan
|
Ah feck it, it's being rebuilt. Thanks for your help.
Dan |
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Fri Feb 11, 2005 9:31 pm Post subject:
Re: Locked out of Win2k Server |
|
|
If you could not logon to both the domain and
the machine accounts then it is likely that you
were under attack.
Either a trojan/virus or someone in your organization
may be messing with the passwords.
Had you not failed with THE Administrator then I
might have suggested your Security Log was full
(with registry settings to down the machine.)
--
Herb Martin
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373v2tF55uh7jU1@individual.net...
| Quote: | "[-=Dan=-]" <getbent@ease.com> wrote in message
news:373u2cF587thdU1@individual.net...
"Don Wilwol" <wilwol@capital.net> wrote in message
news:OWd$WTEEFHA.1496@TK2MSFTNGP14.phx.gbl...
I'm not sure I fully understand. You can not log onto the domain from
anywhere, or just from the one server. If you can get to the policy,
you
should be able to undo your mistake. If you can log on from anywhere, I
had a colleague that had a customer do the same thing. I found this
hack
for him. We never got to try it, they wound up restoring AD from
backup,
but if its the last hope!
http://www.commodore.ca/windows/undo_group_policy.htm
Hi Don,
thanks for your reply, sorry If my message was confusing. Basically, we
can forget the domain completely here. I can't even log on to the
machine
locally. It's here right in front of me, and I can't login as
administrator to the machine itself, let alone the domain!
Dan
Ah feck it, it's being rebuilt. Thanks for your help.
Dan
|
|
|
| Back to top |
|
|
[-=Dan=-]
Guest
|
| Posted:
Fri Feb 11, 2005 10:50 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"Herb Martin" <news@LearnQuick.com> wrote in message
news:OEwFD8EEFHA.2508@TK2MSFTNGP09.phx.gbl...
| Quote: | If you could not logon to both the domain and
the machine accounts then it is likely that you
were under attack.
Either a trojan/virus or someone in your organization
may be messing with the passwords.
Had you not failed with THE Administrator then I
might have suggested your Security Log was full
(with registry settings to down the machine.)
--
Herb Martin
|
Herb,
Thanks for your reply. The machine is up-to-date with virus protection, and
I don't think anyone in here is messing about. |
|
| Back to top |
|
|
[-=Dan=-]
Guest
|
| Posted:
Fri Feb 11, 2005 10:55 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"Don Wilwol" <wilwol@capital.net> wrote in message
news:OWd$WTEEFHA.1496@TK2MSFTNGP14.phx.gbl...
| Quote: | I'm not sure I fully understand. You can not log onto the domain from
anywhere, or just from the one server. If you can get to the policy, you
should be able to undo your mistake. If you can log on from anywhere, I
had a colleague that had a customer do the same thing. I found this hack
for him. We never got to try it, they wound up restoring AD from backup,
but if its the last hope!
http://www.commodore.ca/windows/undo_group_policy.htm
good luck
dw
The strangest thing. I just rebuilt the member server, did all the windows |
updates, installed AVG software. Runs ok. As soon as I join it onto the
domain, when I reboot I cannot log into the domain, or locally. Get the same
message. How can a user policy that I applied to an OU that contains one
user, be applied to this server? I'm well stumped. I don't want to rebuild
both servers....
Any thoughts *GREATLY* appreciated...
Dan |
|
| Back to top |
|
|
Don Wilwol
Guest
|
| Posted:
Sat Feb 12, 2005 12:32 am Post subject:
Re: Locked out of Win2k Server |
|
|
It sounds like you inadvertently set the policy on the default domain
policy, or you linked it to the domain and not the OU.
Maybe somebody else has a magic cure. I don't think there is an easy fix.
dw
--
Don Wilwol
http://spaces.msn.com/members/wilwol/
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:3746bpF59esocU1@individual.net...
| Quote: | "Don Wilwol" <wilwol@capital.net> wrote in message
news:OWd$WTEEFHA.1496@TK2MSFTNGP14.phx.gbl...
I'm not sure I fully understand. You can not log onto the domain from
anywhere, or just from the one server. If you can get to the policy, you
should be able to undo your mistake. If you can log on from anywhere, I
had a colleague that had a customer do the same thing. I found this hack
for him. We never got to try it, they wound up restoring AD from backup,
but if its the last hope!
http://www.commodore.ca/windows/undo_group_policy.htm
good luck
dw
The strangest thing. I just rebuilt the member server, did all the windows
updates, installed AVG software. Runs ok. As soon as I join it onto the
domain, when I reboot I cannot log into the domain, or locally. Get the
same message. How can a user policy that I applied to an OU that contains
one user, be applied to this server? I'm well stumped. I don't want to
rebuild both servers....
Any thoughts *GREATLY* appreciated...
Dan
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sat Feb 12, 2005 1:18 am Post subject:
Re: Locked out of Win2k Server |
|
|
Can you logon to a domain controller?? If you can create an OU with a GPO
that has the user right for logon locally set to be administrators and
users, and deny logon locally set to be guest. The move the server into that
OU, run secedit /refreshpolicy machine_policy /enforce on the domain
controller, and reboot the locked out server. If you can not logon to a
domain controller can you logon to any computer in the domain?? If so
install adminpak on a domain member computer [from the I386 folder of the
install disk for server] , logon to that domain computer as domain admin
[this needs to be a known secure computer] and then set the user rights as I
described using Domain Controller Security Policy.
If you can not do any of that, can you access the sysvol share in My Network
Places from another computer on the network, even a non domain computer
using domain admin credentials to connect to it?? If you can another
possibility exists where you can navigate to the GptTmpl.inf file for the
policy causing the problem, manually editing it to modify the offending
user right restriction, and the bumping up the version number in the gpt.ini
file. --- Steve
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373rt9F57bv0pU1@individual.net...
| Quote: | Hi all,
I have a Windows 2000 server as a member server of a Windows 2000 AD
Domain. I've been messing with policies of an OU on the domain controller,
trying to lock down a desktop. Now, I can't logon to my member server,
either through TS or at the console, I get 'The local policy of this
system does not permit you to logon interactively". I can't logon to the
local machine, even using the Administrator account. And I can't logon to
the domain, again using the Administrator account.
I'm well and truly knobbed off.
Does anyone have any ideas before I rebuild this server?
TIA
Dan
|
|
|
| Back to top |
|
|
Mark Gamache
Guest
|
| Posted:
Sat Feb 12, 2005 1:26 am Post subject:
Re: Locked out of Win2k Server |
|
|
If you have a machine that is in a workgroup, but has the adminpack.msi
installed, so it can manage domains, you can login locally to it, and then
use Run As to connect to the domain and edit the GPO. This uses DCOM, if I
recall, none the less, you aren't logging in interactively.
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Don Wilwol" <wilwol@capital.net> wrote in message
news:usNEKgGEFHA.624@TK2MSFTNGP09.phx.gbl...
| Quote: | It sounds like you inadvertently set the policy on the default domain
policy, or you linked it to the domain and not the OU.
Maybe somebody else has a magic cure. I don't think there is an easy fix.
dw
--
Don Wilwol
http://spaces.msn.com/members/wilwol/
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:3746bpF59esocU1@individual.net...
"Don Wilwol" <wilwol@capital.net> wrote in message
news:OWd$WTEEFHA.1496@TK2MSFTNGP14.phx.gbl...
I'm not sure I fully understand. You can not log onto the domain from
anywhere, or just from the one server. If you can get to the policy, you
should be able to undo your mistake. If you can log on from anywhere, I
had a colleague that had a customer do the same thing. I found this hack
for him. We never got to try it, they wound up restoring AD from backup,
but if its the last hope!
http://www.commodore.ca/windows/undo_group_policy.htm
good luck
dw
The strangest thing. I just rebuilt the member server, did all the
windows updates, installed AVG software. Runs ok. As soon as I join it
onto the domain, when I reboot I cannot log into the domain, or locally.
Get the same message. How can a user policy that I applied to an OU that
contains one user, be applied to this server? I'm well stumped. I don't
want to rebuild both servers....
Any thoughts *GREATLY* appreciated...
Dan
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Sat Feb 12, 2005 3:03 pm Post subject:
Re: Locked out of Win2k Server |
|
|
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373rt9F57bv0pU1@individual.net...
| Quote: | Hi all,
I have a Windows 2000 server as a member server of a Windows 2000 AD
Domain.
I've been messing with policies of an OU on the domain controller, trying
to
lock down a desktop. Now, I can't logon to my member server, either
through
TS or at the console, I get 'The local policy of this system does not
permit
you to logon interactively". I can't logon to the local machine, even
using
the Administrator account. And I can't logon to the domain, again using
the
Administrator account.
I'm well and truly knobbed off.
Does anyone have any ideas before I rebuild this server?
TIA
Dan
|
|
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Sat Feb 12, 2005 3:05 pm Post subject:
Re: Locked out of Win2k Server |
|
|
In article <#c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl>, in the
microsoft.public.windows.server.security news group, Roger Abell
<mvpNOSpam@asu.edu> says...
| Quote: | I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain.
|
Whew, glad I'm not the only one. :-)
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871) |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Sat Feb 12, 2005 11:19 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"Paul Adare" <padare@newsguy.com> wrote in message
news:MPG.1c7790eb79be6d6e989b96@msnews.microsoft.com...
| Quote: | In article <#c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl>, in the
microsoft.public.windows.server.security news group, Roger Abell
mvpNOSpam@asu.edu> says...
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain.
Whew, glad I'm not the only one. :-)
|
Thanks Paul. I was quite resisting a post,
thinking I was not picking up on something.
--
Roger |
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sun Feb 13, 2005 1:55 am Post subject:
Re: Locked out of Win2k Server |
|
|
I don't think I indicated that he could not logon to any computer in the
domain?? I asked if he could as the post was confusing. I admit I could have
said. "Logon to a domain controller". --- Steve
******************************
Can you logon to a domain controller?? [My first line]
******************************
can you logon to any computer in the domain??
************************************
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
| Quote: | I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373rt9F57bv0pU1@individual.net...
Hi all,
I have a Windows 2000 server as a member server of a Windows 2000 AD
Domain.
I've been messing with policies of an OU on the domain controller, trying
to
lock down a desktop. Now, I can't logon to my member server, either
through
TS or at the console, I get 'The local policy of this system does not
permit
you to logon interactively". I can't logon to the local machine, even
using
the Administrator account. And I can't logon to the domain, again using
the
Administrator account.
I'm well and truly knobbed off.
Does anyone have any ideas before I rebuild this server?
TIA
Dan
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Sun Feb 13, 2005 4:42 am Post subject:
Re: Locked out of Win2k Server |
|
|
Quite right Steve, I guess I did overstate. My mistake.
A recall reading as you say because I especially noticed
that the OP's reply did not answer you on that point.
--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OR2HvyTEFHA.3824@TK2MSFTNGP10.phx.gbl...
| Quote: | I don't think I indicated that he could not logon to any computer in the
domain?? I asked if he could as the post was confusing. I admit I could
have
said. "Logon to a domain controller". --- Steve
******************************
Can you logon to a domain controller?? [My first line]
******************************
can you logon to any computer in the domain??
************************************
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373rt9F57bv0pU1@individual.net...
Hi all,
I have a Windows 2000 server as a member server of a Windows 2000 AD
Domain.
I've been messing with policies of an OU on the domain controller,
trying
to
lock down a desktop. Now, I can't logon to my member server, either
through
TS or at the console, I get 'The local policy of this system does not
permit
you to logon interactively". I can't logon to the local machine, even
using
the Administrator account. And I can't logon to the domain, again using
the
Administrator account.
I'm well and truly knobbed off.
Does anyone have any ideas before I rebuild this server?
TIA
Dan
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in