| Author |
Message |
Roger Abell
Guest
|
 Posted:
Sun Feb 13, 2005 4:44 am Post subject:
Re: Locked out of Win2k Server |
|
|
or should I say OP's non-reply left it unanswered . . .
The reply was to Don's first post trying to clarify this point.
--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OR2HvyTEFHA.3824@TK2MSFTNGP10.phx.gbl...
| Quote: | I don't think I indicated that he could not logon to any computer in the
domain?? I asked if he could as the post was confusing. I admit I could
have
said. "Logon to a domain controller". --- Steve
******************************
Can you logon to a domain controller?? [My first line]
******************************
can you logon to any computer in the domain??
************************************
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:373rt9F57bv0pU1@individual.net...
Hi all,
I have a Windows 2000 server as a member server of a Windows 2000 AD
Domain.
I've been messing with policies of an OU on the domain controller,
trying
to
lock down a desktop. Now, I can't logon to my member server, either
through
TS or at the console, I get 'The local policy of this system does not
permit
you to logon interactively". I can't logon to the local machine, even
using
the Administrator account. And I can't logon to the domain, again using
the
Administrator account.
I'm well and truly knobbed off.
Does anyone have any ideas before I rebuild this server?
TIA
Dan
|
|
|
| Back to top |
|
 |
[-=Dan=-]
Guest
|
| Posted:
Mon Feb 14, 2005 5:32 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
| Quote: | I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
Hi Roger, |
sorry for the confusion. My problem is that I can not logon onto the member
server with a domain or local account. I rebuilt the member server and it
was great, working fine, until I joined it to the domain. Ever since then, I
cannot logon to it locally *or* log into the domain from it. I've ran
dcpromo on the server to remove AD, and just reinstalled AD, hopefully to
get rid of any policies. Of course now, I still cannot logon to the member
machine. So now, I will rebuild said member server *again*.
This will hopefull fix the problem, but what I don't understand is how this
has happened. I'm 99% sure that I didn't apply *any* of the 'Computer
configuration' settings in the policy, only the 'User configuration' ones.
Thanks all for your help
Dan |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Mon Feb 14, 2005 9:21 pm Post subject:
Re: Locked out of Win2k Server |
|
|
When you joined the rebuilt machine to the domain it was
subjected to the Group Policy GPO's of the domain.
Those are what were causing your initial issue with the
first build - and those were likely the ones to which I did
point. Those GPO settings were still in effect ready to
configure the machine once it was joined.
In the future, I would suggest that you do not modify
GPO settings of your existing GPOs while learning.
Instead, define a new GPO linked to a restricted area,
such as an OU specifically defined for the testing and
into which you have moved the accounts and computers
to be used in the test. Then, modify policy settings in
the GPO defined for this testing.
That way, if things go completely wrong, you can either
unlink the GPO, or delete the GPO, or move the user
or computer object out of the OU, in order to reverse
the effect.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:37bgj1F56v85nU1@individual.net...
| Quote: | "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
Hi Roger,
sorry for the confusion. My problem is that I can not logon onto the
member
server with a domain or local account. I rebuilt the member server and it
was great, working fine, until I joined it to the domain. Ever since then,
I
cannot logon to it locally *or* log into the domain from it. I've ran
dcpromo on the server to remove AD, and just reinstalled AD, hopefully to
get rid of any policies. Of course now, I still cannot logon to the member
machine. So now, I will rebuild said member server *again*.
This will hopefull fix the problem, but what I don't understand is how
this
has happened. I'm 99% sure that I didn't apply *any* of the 'Computer
configuration' settings in the policy, only the 'User configuration' ones.
Thanks all for your help
Dan
|
|
|
| Back to top |
|
|
[-=Dan=-]
Guest
|
| Posted:
Mon Feb 14, 2005 11:39 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Osp1hhqEFHA.1264@TK2MSFTNGP12.phx.gbl...
| Quote: | When you joined the rebuilt machine to the domain it was
subjected to the Group Policy GPO's of the domain.
Those are what were causing your initial issue with the
first build - and those were likely the ones to which I did
point. Those GPO settings were still in effect ready to
configure the machine once it was joined.
In the future, I would suggest that you do not modify
GPO settings of your existing GPOs while learning.
Instead, define a new GPO linked to a restricted area,
such as an OU specifically defined for the testing and
into which you have moved the accounts and computers
to be used in the test. Then, modify policy settings in
the GPO defined for this testing.
That way, if things go completely wrong, you can either
unlink the GPO, or delete the GPO, or move the user
or computer object out of the OU, in order to reverse
the effect.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:37bgj1F56v85nU1@individual.net...
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
Hi Roger,
sorry for the confusion. My problem is that I can not logon onto the
member
server with a domain or local account. I rebuilt the member server and it
was great, working fine, until I joined it to the domain. Ever since
then,
I
cannot logon to it locally *or* log into the domain from it. I've ran
dcpromo on the server to remove AD, and just reinstalled AD, hopefully to
get rid of any policies. Of course now, I still cannot logon to the
member
machine. So now, I will rebuild said member server *again*.
This will hopefull fix the problem, but what I don't understand is how
this
has happened. I'm 99% sure that I didn't apply *any* of the 'Computer
configuration' settings in the policy, only the 'User configuration'
ones.
Thanks all for your help
Dan
Hi Roger, |
thanks for your reply. The strange thing is, I did create a new OU with just
the one user in for my policy testing. I'm 99.9% sure that I didn't modify
the default domain policy, unless someone else did it when I wasn't
watching!
I've rebuilt the member after uninstalling/reinstalling AD on the domain
controller, and am gingerly modifying my policy on the new OU!
Thanks again
Dan |
|
| Back to top |
|
|
Don Wilwol
Guest
|
| Posted:
Tue Feb 15, 2005 12:32 am Post subject:
Re: Locked out of Win2k Server |
|
|
Dan
If you haven't already done so, download the group policy management console
(GPMC.msi) and use it. It gives some nice planning capabilities.
--
Hope it helps...........
dw
Don Wilwol
Blog - http://spaces.msn.com/members/wilwol/
Web - http://capital.net/~wilwol/dw.htm
DonWilwol@yahoo.com
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:37c622F59517kU1@individual.net...
| Quote: | "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Osp1hhqEFHA.1264@TK2MSFTNGP12.phx.gbl...
When you joined the rebuilt machine to the domain it was
subjected to the Group Policy GPO's of the domain.
Those are what were causing your initial issue with the
first build - and those were likely the ones to which I did
point. Those GPO settings were still in effect ready to
configure the machine once it was joined.
In the future, I would suggest that you do not modify
GPO settings of your existing GPOs while learning.
Instead, define a new GPO linked to a restricted area,
such as an OU specifically defined for the testing and
into which you have moved the accounts and computers
to be used in the test. Then, modify policy settings in
the GPO defined for this testing.
That way, if things go completely wrong, you can either
unlink the GPO, or delete the GPO, or move the user
or computer object out of the OU, in order to reverse
the effect.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:37bgj1F56v85nU1@individual.net...
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
Hi Roger,
sorry for the confusion. My problem is that I can not logon onto the
member
server with a domain or local account. I rebuilt the member server and
it
was great, working fine, until I joined it to the domain. Ever since
then,
I
cannot logon to it locally *or* log into the domain from it. I've ran
dcpromo on the server to remove AD, and just reinstalled AD, hopefully
to
get rid of any policies. Of course now, I still cannot logon to the
member
machine. So now, I will rebuild said member server *again*.
This will hopefull fix the problem, but what I don't understand is how
this
has happened. I'm 99% sure that I didn't apply *any* of the 'Computer
configuration' settings in the policy, only the 'User configuration'
ones.
Thanks all for your help
Dan
Hi Roger,
thanks for your reply. The strange thing is, I did create a new OU with
just the one user in for my policy testing. I'm 99.9% sure that I didn't
modify the default domain policy, unless someone else did it when I wasn't
watching!
I've rebuilt the member after uninstalling/reinstalling AD on the domain
controller, and am gingerly modifying my policy on the new OU!
Thanks again
Dan
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Feb 15, 2005 6:48 am Post subject:
Re: Locked out of Win2k Server |
|
|
I am sure Roger will apply but you did not have to go through all that. It
sounds like your Domain Security Policy is misconfigured [or domain GPO
other than default is a possibility, especailly if it is above the default
domain GPO in the list linked to the domain]. All you have to do is make
sure that the user right for logon locally contains users and administrators
and that the deny logon locally does not contain any users/groups that will
override the allow logon locally user right. A safe bet would be to have it
defined with just the guest account. --- Steve
"[-=Dan=-]" <getbent@ease.com> wrote in message
news:37bgj1F56v85nU1@individual.net...
| Quote: | "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23c6xIFOEFHA.1040@TK2MSFTNGP09.phx.gbl...
I have read all of your posts - twice
and I am still unclear why everyone seems to think
you are saying that you cannot log into any machine
in the domain. I can see how what you have said
could be interpreted as that way, but I can also see
how you may be speaking only about logging into
just that one member - which is the case?
That you cannot log into the member server with either
a domain or machine local account can be simply
reversed by checking a few policies in whatever GPOs
might have the member in their scope of application.
Check especially, both in the computer settings tree of
policies, 1) the User Right to Log on locally, and Deny
local logon, and 2) the membership of any Restricted
groups (if you have defined these) that might be used
in the two User Right polices just mentioned.
Hi Roger,
sorry for the confusion. My problem is that I can not logon onto the
member server with a domain or local account. I rebuilt the member server
and it was great, working fine, until I joined it to the domain. Ever
since then, I cannot logon to it locally *or* log into the domain from it.
I've ran dcpromo on the server to remove AD, and just reinstalled AD,
hopefully to get rid of any policies. Of course now, I still cannot logon
to the member machine. So now, I will rebuild said member server *again*.
This will hopefull fix the problem, but what I don't understand is how
this has happened. I'm 99% sure that I didn't apply *any* of the 'Computer
configuration' settings in the policy, only the 'User configuration' ones.
Thanks all for your help
Dan
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Feb 15, 2005 6:48 am Post subject:
Re: Locked out of Win2k Server |
|
|
Also a consequence of using spell checker without reviewing the
esults! --- Steve
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uaI3wLyEFHA.1188@tk2msftngp13.phx.gbl...
| Quote: | "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ueUf1HxEFHA.2540@TK2MSFTNGP09.phx.gbl...
I am sure Roger will apply but
Did I miss a good job offer here somewhere ??
--
Roger
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Feb 15, 2005 6:48 am Post subject:
Re: Locked out of Win2k Server |
|
|
Maybe, or it's just my day to have a brain lapse. --- Steve
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uaI3wLyEFHA.1188@tk2msftngp13.phx.gbl...
| Quote: | "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ueUf1HxEFHA.2540@TK2MSFTNGP09.phx.gbl...
I am sure Roger will apply but
Did I miss a good job offer here somewhere ??
--
Roger
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Tue Feb 15, 2005 6:48 am Post subject:
Re: Locked out of Win2k Server |
|
|
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ueUf1HxEFHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: | I am sure Roger will apply but
|
Did I miss a good job offer here somewhere ??
--
Roger |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Tue Feb 15, 2005 6:48 am Post subject:
Re: Locked out of Win2k Server |
|
|
"[-=Dan=-]" <getbent@ease.com> wrote in message >
| Quote: | thanks for your reply. The strange thing is, I did create a new OU with
just
the one user in for my policy testing. I'm 99.9% sure that I didn't modify
the default domain policy, unless someone else did it when I wasn't
watching!
Well, that is a little bizarre then. |
Good luck Dan
--
Roger |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Tue Feb 15, 2005 3:27 pm Post subject:
Re: Locked out of Win2k Server |
|
|
Spell checkers sometimes make the most humorous
assumptions/changes
I cannot wait for the Office group to produce trustworthy
software (so we do not need to recheck what spellchecker
does, that is)
--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OgjH%23RyEFHA.3732@TK2MSFTNGP14.phx.gbl...
| Quote: | Also a consequence of using spell checker without reviewing the
esults! --- Steve
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uaI3wLyEFHA.1188@tk2msftngp13.phx.gbl...
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ueUf1HxEFHA.2540@TK2MSFTNGP09.phx.gbl...
I am sure Roger will apply but
Did I miss a good job offer here somewhere ??
--
Roger
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Feb 15, 2005 4:05 pm Post subject:
Re: Locked out of Win2k Server |
|
|
Wow. What are you doing up so late/early?? I woke up thinking about that big
box of chocolates in the kitchen that was calling me. I usually check after
spell checker runs because of just what you said. Sometimes I do a poor job
and my post tells someone to check their domain comptroller for correct
settings. --- Steve
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uY7pmA0EFHA.3200@TK2MSFTNGP10.phx.gbl...
| Quote: | Spell checkers sometimes make the most humorous
assumptions/changes
I cannot wait for the Office group to produce trustworthy
software (so we do not need to recheck what spellchecker
does, that is)
--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OgjH%23RyEFHA.3732@TK2MSFTNGP14.phx.gbl...
Also a consequence of using spell checker without reviewing the
esults! --- Steve
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uaI3wLyEFHA.1188@tk2msftngp13.phx.gbl...
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ueUf1HxEFHA.2540@TK2MSFTNGP09.phx.gbl...
I am sure Roger will apply but
Did I miss a good job offer here somewhere ??
--
Roger
|
|
|
| Back to top |
|
|
[-=Dan=-]
Guest
|
| Posted:
Tue Feb 15, 2005 4:48 pm Post subject:
Re: Locked out of Win2k Server |
|
|
"Don Wilwol" <donwilwol@yahoo.com> wrote in message
news:uMTwKOsEFHA.1936@TK2MSFTNGP14.phx.gbl...
| Quote: | Dan
If you haven't already done so, download the group policy management
console (GPMC.msi) and use it. It gives some nice planning capabilities.
Hi Don, |
just downloaded that from mircoshaft, but it tells me I 'must be running
Windows XP SP1 or Windows Server 2003 build 3602 or later to install...'.
Thanks anyway
Dan |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in