Grpedit.msc from bootable cd

[Marco Schlegel]

Hi

I have a WinXP Pro SP2 where I cannot login local! I think in the local
group policy was the "local login" key disabled :-( I tried to reset this
setting with ERD 2005 but I cant find this key in the registry. And also I
can't open the Grpedit.msc in ERD, so how can I open or reset the local
group policy from a bootable cd? The "allow remote login" key is also deny,
so also I can't connect over the LAN to this computer :-( A "Windows repair"
also doesn't solve the problem! Everytime I try to login I recieve the
error: Local policy prevents interactive logon. This computer is not in a
Domain! :-(

Thax for any suggestions!

Regards
Marco

 

[Peter Foldes]

It is Gpedit and not Grpedit.msc. Drop the r from grpedit

 

[Marco Schlegel]

It is Gpedit and not Grpedit.msc. Drop the r from grpedit

Hi Peter

Sorry, I know it's gpedit and I tried always with gpedit ;-) It was a
mistake in writing only here.

Marco

 

[John John]

On a working Windows XP machine snap the registry then do the changes in
the Group Policy then re-snap the registry then do a compare for the
differences between the two snaps. This registry snap & compare
technique is almost like a closely guarded trade secret, I don't give it
out everyday!

John

 

[Marco Schlegel]

On a working Windows XP machine snap the registry then do the changes in

the Group Policy then re-snap the registry then do a compare for the
differences between the two snaps. This registry snap & compare technique
is almost like a closely guarded trade secret, I don't give it out
everyday!

Hi John

In a Microsoft tech article I read that the group policy security settings
are not stored in the registry :-(
Is that not true?

Regards

 

[Marco Schlegel]

In a Microsoft tech article I read that the group policy security settings

are not stored in the registry :-(
Is that not true?

Have a look at this document:

http://download.microsoft.com/download/a/a/3/aa32239c-3a23-46ef-ba8b-da786e167e5e/PolicySettings.xls

Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment

Deny log on locally

User Rights security settings are not registry keys

So how the hell can I set this setting back? :-( And the other question, why
the hell is it ON from one day to the other?
However, this smells strongly of a virus or a worm!

Any other suggestions?

Thx
Marco

 

[John John]

Did you try logging on with the built-in Administrator account? Hit
Ctrl+Alt+Del twice at the logon screen, or try login on to safe mode.

If you cannot log on with the built-in Administrator account use your
live (ERD) cd and replace the %Systemroot%\System32\GroupPolicy folder
with one from an XP machine that doesn't have the policy in place, or
backup the folder on the unaccessible machine then delete the whole
folder and see if you can logon.

John

 

[Marco Schlegel]

Hi John

Did you try logging on with the built-in Administrator account? Hit
Ctrl+Alt+Del twice at the logon screen, or try login on to safe mode.

I tried that first, but no way, alwasy the same :-(

If you cannot log on with the built-in Administrator account use your live
(ERD) cd and replace the %Systemroot%\System32\GroupPolicy folder with one
from an XP machine that doesn't have the policy in place, or backup the
folder on the unaccessible machine then delete the whole folder and see if
you can logon.

I checked that also, first there was no Group Policy folder and then I
copied it from a working XP, but also no success to login :-(
I tried also with a restore-point but the problem still exists, I can't
login with any account :-(

Any other suggestions?

Thx
Marco

 

[John John]

Crossposted from: microsoft.public.windowsxp.basics

Hi

I have a WinXP Pro SP2 where I cannot login local! I think in the
local group policy was the "local login" key disabled :-( I tried
to reset this setting with ERD 2005 but I cant find this key in the
registry. And also I can't open the Gpedit.msc in ERD, so how can I
open or reset the local group policy from a bootable cd? The "allow
remote login" key is also deny, so also I can't connect over the LAN
to this computer :-( A "Windows repair" also doesn't solve the
problem! Everytime I try to login I recieve the error: Local policy
prevents interactive logon. This computer is not in a Domain! :-(

Thax for any suggestions!

Regards Marco

On a working Windows XP machine snap the registry then do the changes
in the Group Policy then re-snap the registry then do a compare for
the differences between the two snaps. This registry snap & compare
technique is almost like a closely guarded trade secret, I don't give
it out everyday!

In a Microsoft tech article I read that the group policy security
settings are not stored in the registry :-( Is that not true?

Have a look at this document:

http://download.microsoft.com/download/a/a/3/aa32239c-3a23-46ef-ba8b-da786e167e5e/PolicySettings.xls


Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment

Deny log on locally

User Rights security settings are not registry keys

So how the hell can I set this setting back? :-( And the other
question, why the hell is it ON from one day to the other? However,
this smells strongly of a virus or a worm!

Any other suggestions?

Did you try logging on with the built-in Administrator account? Hit
Ctrl+Alt+Del twice at the logon screen, or try login on to safe mode.

I tried that first, but no way, alwasy the same :-(

If you cannot log on with the built-in Administrator account use your
live (ERD) cd and replace the %Systemroot%\System32\GroupPolicy
folder with one from an XP machine that doesn't have the policy in
place, or backup the folder on the unaccessible machine then delete
the whole folder and see if you can logon.

I checked that also, first there was no Group Policy folder and then
I copied it from a working XP, but also no success to login :-( I
tried also with a restore-point but the problem still exists, I can't
login with any account :-(

Any other suggestions?

I'm going to have to do some searching. One of the problem that I have
in finding an answer is that I cannot replicate the condition on my XP
Pro test box. I know that it is possible to apply the policy to
administrators on Windows 2000, but changes were made to Windows XP to
prevent this policy from being applied to administrators. If I go to:

Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment

and try to apply "Deny log on locally" to any administrator I get a
message telling me that "You cannot deny all users and administrator(s)
from loggin on locally". So, I cannot lock myself out of the box with
that policy, I'm not sure how you succeeded to do this with XP, we may
be looking at the wrong policy, I'm not sure what is going on, maybe it
is a virus as you earlier mentioned.

I'm going to have to do some searching and reading. In the meantime I
am sending a crosspost of the discussion to
microsoft.public.windows.group_policy, maybe the experts there have
solutions or suggestions to offer.

John

 

[John John]

Crossposted from: microsoft.public.windowsxp.basics





















I'm going to have to do some searching. One of the problem that I have
in finding an answer is that I cannot replicate the condition on my XP
Pro test box. I know that it is possible to apply the policy to
administrators on Windows 2000, but changes were made to Windows XP to
prevent this policy from being applied to administrators. If I go to:

Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment

and try to apply "Deny log on locally" to any administrator I get a
message telling me that "You cannot deny all users and administrator(s)
from loggin on locally". So, I cannot lock myself out of the box with
that policy, I'm not sure how you succeeded to do this with XP, we may
be looking at the wrong policy, I'm not sure what is going on, maybe it
is a virus as you earlier mentioned.

I'm going to have to do some searching and reading. In the meantime I
am sending a crosspost of the discussion to
microsoft.public.windows.group_policy, maybe the experts there have
solutions or suggestions to offer.

Well, I have managed to lock myself out, but not at the Deny log on
locally policy. I have done it by removing all specifically granted
permissions at the "Log on locally" policy.

See if you can get it fixed with the information here:

http://support.microsoft.com/kb/555845

John

 

[Sam Hobbs]

Hi John

In a Microsoft tech article I read that the group policy security settings
are not stored in the registry :-(
Is that not true?

Regards

It probably depends on what is meant by "stored". I know that some Group
Policies, probably most, are effective only when they are put into the
registry. It is possible to affect the effectivity of a policy by changing
only the registry. The confusion lprobably is that the policy editor edits
data from a non-registry file that administrators are more familiar with
than I. Any changes made by the policy editor will be ineffective unless
they are put into the registry.

Does that sound like an explanation of what the "Microsoft tech article"
meant?

 

[John John]

Well, I have managed to lock myself out, but not at the Deny log on
locally policy. I have done it by removing all specifically granted
permissions at the "Log on locally" policy.

See if you can get it fixed with the information here:

http://support.microsoft.com/kb/555845

You should be able to fix things with the NTRights Resource Kit utility.

ntrights -u Users +r SeInteractiveLogonRight

NTRights command syntax is case sensitive.

I don't know if you can run NTRights from your ERD or from a Bart's PE
disk, give it a try. http://support.microsoft.com/kb/315276/en-us

You can run NTRights remotely by itself or with PSExec. Use the
\\computer_name in the syntax.

http://support.microsoft.com/kb/266280/en-us

John

 

[John John]

It probably depends on what is meant by "stored". I know that some Group
Policies, probably most, are effective only when they are put into the
registry. It is possible to affect the effectivity of a policy by changing
only the registry. The confusion lprobably is that the policy editor edits
data from a non-registry file that administrators are more familiar with
than I. Any changes made by the policy editor will be ineffective unless
they are put into the registry.

Does that sound like an explanation of what the "Microsoft tech article"
meant?

No, Sam. The security settings are saved and applied elsewhere, I don't
believe that you can restore the logon rights by registry modifications.

John

 

[Marco Schlegel]

Hi John

You should be able to fix things with the NTRights Resource Kit utility.

ntrights -u Users +r SeInteractiveLogonRight

NTRights command syntax is case sensitive.

I don't know if you can run NTRights from your ERD or from a Bart's PE
disk, give it a try. http://support.microsoft.com/kb/315276/en-us

No, it doesn't work from ERD or Bart's PE.

You can run NTRights remotely by itself or with PSExec. Use the
\\computer_name in the syntax.

I receive a error if I try that from a second computer.

But I think I have solved the problem! I took a old Ghost Image from this
computer and restored the whole Windows directory with the Ghost Explorer in
a first try. And now I can loggin So my next attempt would be to reduce
the folders I restore and I will try it with restore only the System32
folder. I think on this way I can find out, in which folder which files are
responsible for my problem!

Thank you very much John!

Regards
Marco

 

[John John]

Hi John



No, it doesn't work from ERD or Bart's PE.



I receive a error if I try that from a second computer.

But I think I have solved the problem! I took a old Ghost Image from
this computer and restored the whole Windows directory with the Ghost
Explorer in a first try. And now I can loggin So my next attempt
would be to reduce the folders I restore and I will try it with restore
only the System32 folder. I think on this way I can find out, in which
folder which files are responsible for my problem!

Thank you very much John!

You're welcome. If you can figure out where the changes were made let
us know your findings.

John

 

[Sam Hobbs]

No, Sam. The security settings are saved and applied elsewhere, I don't
believe that you can restore the logon rights by registry modifications.

Sure, security settings exist elsewhere; somewhere in the NTFS which is not
documented. Security settings are DACLs, ACEs, SIDs and other objects which
are documented. The group policy that determines security settings does not
exist in the NTFS.

 

[John John]

Sure, security settings exist elsewhere; somewhere in the NTFS which is not
documented. Security settings are DACLs, ACEs, SIDs and other objects which
are documented. The group policy that determines security settings does not
exist in the NTFS.

It's not the same kind of security settings, Sam. I think you may have
been right in your first post, maybe flags in the Security Accounts
Manager (SAM) database decide if the policy applies or not. I don't
know. As far as I know this is run by the Local Security Authority
Subsystem Service (LSASS), but I'm just not sure where lsass obtains the
instructions.

Security Subsystem Architecture
http://www.microsoft.com/technet/pr...rv/reskit/distrib/dsbg_dat_dozq.mspx?mfr=true

John

 

[Sam Hobbs]

It's not the same kind of security settings, Sam. I think you may have
been right in your first post, maybe flags in the Security Accounts
Manager (SAM) database decide if the policy applies or not. I don't know.
As far as I know this is run by the Local Security Authority Subsystem
Service (LSASS), but I'm just not sure where lsass obtains the
instructions.

Security Subsystem Architecture
http://www.microsoft.com/technet/pr...rv/reskit/distrib/dsbg_dat_dozq.mspx?mfr=true

John

I am not sure either. So hopefully our comments are enough for the purposes
of this thread. I don't know much about the LSASS but I know it is worth
learning about.