HELP!!! Unable to logon to Server 2000

[Dave W]

Some changes were made to group policy several days ago
and something musta got screwed up because I cannot log
back in now that I have logged out. I get the following
message after the failed login: "the local policy of this
system does not permit you to logon interactively"
Is there anything that I can do?

 

[Chriss3 [MVP]]

Restart the computer into DS restore mode. Try to change local GPO, or try
to change it from another computer.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Steve]

Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the win32 c++ tools page have a
read then run it and your good to go

rgds
Steve

 

[Dave W]

Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment. If I
can't logon, how do I do that?

Dave

 

[Steve]

Dave

If your saying you cannot logon to anything in the domain that is another
story with a whole lot of different questions attached you state Server in
the subject but
is this server a DC or Member server, is it the only DC, what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the questions will start from
there.

else I am assuming that your talking 1 server affected under a GPO change
and the SeInteractiveLoginRight has been removed from some group such as
Administrators or Everyone (quite common that's why Joe did the tool) and
you have workstation access with network access or another server to login
to.

If this is the case then you just point the exe at the problem machine and
input the details.
(Hint Try a local admin account on a machine if the domain account cannot
login, then run the cmd prompt using "run as" and input your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS connection to the
server and login that way, if you normally TS on for access then try the
console.)

So say server 1 is the problem in domain 1 for admin1 and he gets the error
trying to logon
open a command prompt on a workstation on the domain that has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed) September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account> [TargetMachine]
Will set SeInteractiveLogonRight for account on targetmachine
Will clear SeDenyInteractiveLogonRight for account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT joehome\$jricha34 pro2


If this is not the case then post back with some specific details on the
situation, the lists are good but my crystal ball is on the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV

 

[Dave W]

Whew! Where to begin. The machine in question is the lone
DC in a single AD domain. I do have another server that I
work on that is beiing replicated to though(I think). All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them will log
in. I first noticed the problem over the past weekend when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the GPO that
I screwed with was the one for the DC's as the one for the
domain is and has been disabled for some time. I have been
able to connect to the AD users & computers through my PC
(server #2)and the log on locally has all the users and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app that
wouldn't start it's engine so I thought that the log on
parameters were the place to go. I have since uninstalled
the app, which BTW was never on the DC. So are you saying
that with the SeInteractiveLogonRight app, I just need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the affected
server over the network?? OK, I just tried that and it
obviously went through it's process and returned to the
prompt. I tried logging in to the server and still got the
same message. I may have also changed something inside
the control panel>administrative tools>local security
setings on the effected server and for sure on server #2
(where the P.O.S. application had been installed). I had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top of
the window. Would changes made on a sever that is being
replicated to, replicate back to the DC?

I'm at my wits end on this. Any other suggestions would be
greatly appreciated.

Dave

-----Original Message-----
Dave

If your saying you cannot logon to anything in the domain that is another
story with a whole lot of different questions attached you state Server in
the subject but
is this server a DC or Member server, is it the only DC, what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the questions will start from
there.

else I am assuming that your talking 1 server affected under a GPO change
and the SeInteractiveLoginRight has been removed from some group such as
Administrators or Everyone (quite common that's why Joe did the tool) and
you have workstation access with network access or another server to login
to.

If this is the case then you just point the exe at the problem machine and
input the details.
(Hint Try a local admin account on a machine if the domain account cannot
login, then run the cmd prompt using "run as" and input your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS connection to the
server and login that way, if you normally TS on for access then try the
console.)

So say server 1 is the problem in domain 1 for admin1 and he gets the error
trying to logon
open a command prompt on a workstation on the domain that has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed) September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account> [TargetMachine]
Will set SeInteractiveLogonRight for account on targetmachine
Will clear SeDenyInteractiveLogonRight for account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT joehome\$jricha34 pro2


If this is not the case then post back with some specific details on the
situation, the lists are good but my crystal ball is on the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV

Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment. If I
can't logon, how do I do that?

Dave i
meddelandet of
this

.

 

[Steven L Umbach]

Install Adminpak on one of your Windows 2000 domain computers that you can
logon to as a domain administrator and use it to modify the problem policy
from that computer. My guess is that the change was made in Domain
Controller Security Policy under security settings/local policies/user
rights. Look at the two user rights for logon locally and deny logon
locally. By default administrators is in the logon locally for domain
controllers and the deny logon locally is defined but empty. If there is
more than one GPO in the domain controller container you will need to check
them all for those user rights. Adminpak is on the server install disk in
the I386 folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;216999

Whew! Where to begin. The machine in question is the lone
DC in a single AD domain. I do have another server that I
work on that is beiing replicated to though(I think). All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them will log
in. I first noticed the problem over the past weekend when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the GPO that
I screwed with was the one for the DC's as the one for the
domain is and has been disabled for some time. I have been
able to connect to the AD users & computers through my PC
(server #2)and the log on locally has all the users and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app that
wouldn't start it's engine so I thought that the log on
parameters were the place to go. I have since uninstalled
the app, which BTW was never on the DC. So are you saying
that with the SeInteractiveLogonRight app, I just need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the affected
server over the network?? OK, I just tried that and it
obviously went through it's process and returned to the
prompt. I tried logging in to the server and still got the
same message. I may have also changed something inside
the control panel>administrative tools>local security
setings on the effected server and for sure on server #2
(where the P.O.S. application had been installed). I had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top of
the window. Would changes made on a sever that is being
replicated to, replicate back to the DC?

I'm at my wits end on this. Any other suggestions would be
greatly appreciated.

Dave

-----Original Message-----
Dave

If your saying you cannot logon to anything in the domain that is another
story with a whole lot of different questions attached you state Server in
the subject but
is this server a DC or Member server, is it the only DC, what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the questions will start from
there.

else I am assuming that your talking 1 server affected under a GPO change
and the SeInteractiveLoginRight has been removed from some group such as
Administrators or Everyone (quite common that's why Joe did the tool) and
you have workstation access with network access or another server to login
to.

If this is the case then you just point the exe at the problem machine and
input the details.
(Hint Try a local admin account on a machine if the domain account cannot
login, then run the cmd prompt using "run as" and input your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS connection to the
server and login that way, if you normally TS on for access then try the
console.)

So say server 1 is the problem in domain 1 for admin1 and he gets the error
trying to logon
open a command prompt on a workstation on the domain that has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed) September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account> [TargetMachine]
Will set SeInteractiveLogonRight for account on targetmachine
Will clear SeDenyInteractiveLogonRight for account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT joehome\$jricha34 pro2


If this is not the case then post back with some specific details on the
situation, the lists are good but my crystal ball is on the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV

Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment. If I
can't logon, how do I do that?

Dave
-----Original Message-----
Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the win32 c++
tools page have a
read then run it and your good to go

rgds
Steve



Restart the computer into DS restore mode. Try to
change local GPO, or try
to change it from another computer.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Dave W" <[email protected]> skrev i
meddelandet
Some changes were made to group policy several days
ago
and something musta got screwed up because I cannot
log
back in now that I have logged out. I get the
following
message after the failed login: "the local policy of
this
system does not permit you to logon interactively"
Is there anything that I can do?




.

.

 

[Steve]

Dave
Other Steve here
how are you doing on this at present ? have you managed to get to the policy
yet?

Your correct on the operation of the tool open the cmd prompt on the
directory it resides and run it

so to grant the Administrator Group the local logon right just type
SeinteractiveLogonRight DomainName\Administrators ServerName
this would clear the local settings in the local security policy on the
server

If you have changed the default domain controllers policy
then as Steve L states use the adminpak on another machine to change that
policy as well.

rgds
Steve

Install Adminpak on one of your Windows 2000 domain computers that you can
logon to as a domain administrator and use it to modify the problem policy
from that computer. My guess is that the change was made in Domain
Controller Security Policy under security settings/local policies/user
rights. Look at the two user rights for logon locally and deny logon
locally. By default administrators is in the logon locally for domain
controllers and the deny logon locally is defined but empty. If there is
more than one GPO in the domain controller container you will need to check
them all for those user rights. Adminpak is on the server install disk in
the I386 folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;216999

Whew! Where to begin. The machine in question is the lone
DC in a single AD domain. I do have another server that I
work on that is beiing replicated to though(I think). All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them will log
in. I first noticed the problem over the past weekend when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the GPO that
I screwed with was the one for the DC's as the one for the
domain is and has been disabled for some time. I have been
able to connect to the AD users & computers through my PC
(server #2)and the log on locally has all the users and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app that
wouldn't start it's engine so I thought that the log on
parameters were the place to go. I have since uninstalled
the app, which BTW was never on the DC. So are you saying
that with the SeInteractiveLogonRight app, I just need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the affected
server over the network?? OK, I just tried that and it
obviously went through it's process and returned to the
prompt. I tried logging in to the server and still got the
same message. I may have also changed something inside
the control panel>administrative tools>local security
setings on the effected server and for sure on server #2
(where the P.O.S. application had been installed). I had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top of
the window. Would changes made on a sever that is being
replicated to, replicate back to the DC?

I'm at my wits end on this. Any other suggestions would be
greatly appreciated.

Dave

-----Original Message-----
Dave

If your saying you cannot logon to anything in the domain that is another
story with a whole lot of different questions attached you state Server in
the subject but
is this server a DC or Member server, is it the only DC, what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the questions will start from
there.

else I am assuming that your talking 1 server affected under a GPO change
and the SeInteractiveLoginRight has been removed from some group such as
Administrators or Everyone (quite common that's why Joe did the tool) and
you have workstation access with network access or another server to login
to.

If this is the case then you just point the exe at the problem machine and
input the details.
(Hint Try a local admin account on a machine if the domain account cannot
login, then run the cmd prompt using "run as" and input your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS connection to the
server and login that way, if you normally TS on for access then try the
console.)

So say server 1 is the problem in domain 1 for admin1 and he gets the error
trying to logon
open a command prompt on a workstation on the domain that has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed) September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account> [TargetMachine]
Will set SeInteractiveLogonRight for account on targetmachine
Will clear SeDenyInteractiveLogonRight for account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT joehome\$jricha34 pro2


If this is not the case then post back with some specific details on the
situation, the lists are good but my crystal ball is on the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV
Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment. If I
can't logon, how do I do that?

Dave
-----Original Message-----
Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the win32 c++
tools page have a
read then run it and your good to go

rgds
Steve



Restart the computer into DS restore mode. Try to
change local GPO, or try
to change it from another computer.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Dave W" <[email protected]> skrev i
meddelandet
Some changes were made to group policy several days
ago
and something musta got screwed up because I cannot
log
back in now that I have logged out. I get the
following
message after the failed login: "the local policy of
this
system does not permit you to logon interactively"
Is there anything that I can do?




.



.

 

[Dave W]

Still can't logon to that machine. I ran the
SeInteractiveLogonRight app again and got an error msg
this time. In your post you spelled out the command
as "SeinteractiveLogonRight DomainName\Administrators
ServerName". Is "administrators" literal, including the
pluralization? Anyways, I do have the Administrative Tools
on my Program Menu (on my server#2) so I am able to access
the controls for the domain Contrioller (server#1). I have
checked the GPO for the DC group and it is exactly as I've
been told to set it(enable but don't specify for the "deny
logon" and the "logon locally" has the administrator (as
well as quite a few others in it). At the moment it's not
a crisis, but I can see that happening at some point. Our
Exchange server is on that server. I can access various
file and folders through the Network Neighborhood as well.
That includes the "sysvol" share and others. II have even
tried disabling all of the policies .

-----Original Message-----
Dave
Other Steve here
how are you doing on this at present ? have you managed to get to the policy
yet?

Your correct on the operation of the tool open the cmd prompt on the
directory it resides and run it

so to grant the Administrator Group the local logon right just type
SeinteractiveLogonRight DomainName\Administrators ServerName
this would clear the local settings in the local security policy on the
server

If you have changed the default domain controllers policy
then as Steve L states use the adminpak on another machine to change that
policy as well.

rgds
Steve

Install Adminpak on one of your Windows 2000 domain computers that you can
logon to as a domain administrator and use it to modify the problem policy
from that computer. My guess is that the change was made in Domain
Controller Security Policy under security settings/local policies/user
rights. Look at the two user rights for logon locally and deny logon
locally. By default administrators is in the logon locally for domain
controllers and the deny logon locally is defined but empty. If there is
more than one GPO in the domain controller container

you will need to
check

them all for those user rights. Adminpak is on the server install disk in
the I386 folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;216999

Whew! Where to begin. The machine in question is the lone
DC in a single AD domain. I do have another server that I
work on that is beiing replicated to though(I think). All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them will log
in. I first noticed the problem over the past weekend when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the GPO that
I screwed with was the one for the DC's as the one for the
domain is and has been disabled for some time. I have been
able to connect to the AD users & computers through my PC
(server #2)and the log on locally has all the users and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app that
wouldn't start it's engine so I thought that the log on
parameters were the place to go. I have since uninstalled
the app, which BTW was never on the DC. So are you saying
that with the SeInteractiveLogonRight app, I just need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the affected
server over the network?? OK, I just tried that and it
obviously went through it's process and returned to the
prompt. I tried logging in to the server and still got the
same message. I may have also changed something inside
the control panel>administrative tools>local security
setings on the effected server and for sure on server #2
(where the P.O.S. application had been installed). I had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top of
the window. Would changes made on a sever that is being
replicated to, replicate back to the DC?

I'm at my wits end on this. Any other suggestions would be
greatly appreciated.

Dave
-----Original Message-----
Dave

If your saying you cannot logon to anything in the domain
that is another
story with a whole lot of different questions attached
you state Server in
the subject but
is this server a DC or Member server, is it the only DC,
what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the
questions will start from
there.

else I am assuming that your talking 1 server affected
under a GPO change
and the SeInteractiveLoginRight has been removed from
some group such as
Administrators or Everyone (quite common that's why Joe
did the tool) and
you have workstation access with network access or
another server to login
to.

If this is the case then you just point the exe at the
problem machine and
input the details.
(Hint Try a local admin account on a machine if the
domain account cannot
login, then run the cmd prompt using "run as" and input
your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS
connection to the
server and login that way, if you normally TS on for
access then try the
console.)

So say server 1 is the problem in domain 1 for admin1 and
he gets the error
trying to logon
open a command prompt on a workstation on the domain that
has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the
resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed)
September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\] Account>
[TargetMachine]
Will set SeInteractiveLogonRight for account on
targetmachine
Will clear SeDenyInteractiveLogonRight for
account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT
joehome\$jricha34 pro2


If this is not the case then post back with some specific
details on the
situation, the lists are good but my crystal ball is on
the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV
message
Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment. If I
can't logon, how do I do that?

Dave
-----Original Message-----
Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the win32 c++
tools page have a
read then run it and your good to go

rgds
Steve



message
Restart the computer into DS restore mode. Try to
change local GPO, or try
to change it from another computer.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Dave W" <[email protected]> skrev
i
meddelandet
Some changes were made to group policy several days
ago
and something musta got screwed up because I cannot
log
back in now that I have logged out. I get the
following
message after the failed login: "the local policy
of
this
system does not permit you to logon interactively"
Is there anything that I can do?




.



.

.

 

[Dave W]

Good News! For whatever reason I was just able to log on
to that server. Through the network I was able to change
the administrator's p/w from ******* to blank, but that
was like hours ago and it wouldn't let me in all morning
(after trying as many things as I did, I won't be able to
determine for certain what the problem was)I'll betcha
that I'll be able to connect from home tonight through
term/serv's too. Just want to thank everyone that tried to
help.

Dave

-----Original Message-----
Still can't logon to that machine. I ran the
SeInteractiveLogonRight app again and got an error msg
this time. In your post you spelled out the command
as "SeinteractiveLogonRight DomainName\Administrators
ServerName". Is "administrators" literal, including the
pluralization? Anyways, I do have the Administrative Tools
on my Program Menu (on my server#2) so I am able to access
the controls for the domain Contrioller (server#1). I have
checked the GPO for the DC group and it is exactly as I've
been told to set it(enable but don't specify for the "deny
logon" and the "logon locally" has the administrator (as
well as quite a few others in it). At the moment it's not
a crisis, but I can see that happening at some point. Our
Exchange server is on that server. I can access various
file and folders through the Network Neighborhood as well.
That includes the "sysvol" share and others. II have even
tried disabling all of the policies .

-----Original Message-----
Dave
Other Steve here
how are you doing on this at present ? have you managed to get to the policy
yet?

Your correct on the operation of the tool open the cmd prompt on the
directory it resides and run it

so to grant the Administrator Group the local logon

right
just type

SeinteractiveLogonRight DomainName\Administrators ServerName
this would clear the local settings in the local

security
policy on the

server

If you have changed the default domain controllers policy
then as Steve L states use the adminpak on another machine to change that
policy as well.

rgds
Steve

modify
the problem policy

from that computer. My guess is that the change was made in Domain
Controller Security Policy under security settings/local policies/user
rights. Look at the two user rights for logon locally and deny logon
locally. By default administrators is in the logon locally for domain
controllers and the deny logon locally is defined but empty. If there is
more than one GPO in the domain controller container

you will need to
check

them all for those user rights. Adminpak is on the server install disk in
the I386 folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;216999

message

think).

All

weekend

when

GPO

that

have

been

server

#2

only

DC,

admin1

and

he gets the error
trying to logon
open a command prompt on a workstation on the domain that
has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the
resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed)
September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\] Account>
[TargetMachine]
Will set SeInteractiveLogonRight for account on
targetmachine
Will clear SeDenyInteractiveLogonRight for
account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT
joehome\$jricha34 pro2


If this is not the case then post back with some specific
details on the
situation, the lists are good but my crystal ball is on
the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV
message
Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment.

If

I

several

days


.

.

 

[Steve]

Great glad your back in to the server.

Sorry did slip with the extra s on Administrator my fault.
Rgds
Steve

Good News! For whatever reason I was just able to log on
to that server. Through the network I was able to change
the administrator's p/w from ******* to blank, but that
was like hours ago and it wouldn't let me in all morning
(after trying as many things as I did, I won't be able to
determine for certain what the problem was)I'll betcha
that I'll be able to connect from home tonight through
term/serv's too. Just want to thank everyone that tried to
help.

Dave

-----Original Message-----
Still can't logon to that machine. I ran the
SeInteractiveLogonRight app again and got an error msg
this time. In your post you spelled out the command
as "SeinteractiveLogonRight DomainName\Administrators
ServerName". Is "administrators" literal, including the
pluralization? Anyways, I do have the Administrative Tools
on my Program Menu (on my server#2) so I am able to access
the controls for the domain Contrioller (server#1). I have
checked the GPO for the DC group and it is exactly as I've
been told to set it(enable but don't specify for the "deny
logon" and the "logon locally" has the administrator (as
well as quite a few others in it). At the moment it's not
a crisis, but I can see that happening at some point. Our
Exchange server is on that server. I can access various
file and folders through the Network Neighborhood as well.
That includes the "sysvol" share and others. II have even
tried disabling all of the policies .

-----Original Message-----
Dave
Other Steve here
how are you doing on this at present ? have you managed to get to the policy
yet?

Your correct on the operation of the tool open the cmd prompt on the
directory it resides and run it

so to grant the Administrator Group the local logon

right
just type

SeinteractiveLogonRight DomainName\Administrators ServerName
this would clear the local settings in the local

security
policy on the

server

If you have changed the default domain controllers policy
then as Steve L states use the adminpak on another machine to change that
policy as well.

rgds
Steve


Install Adminpak on one of your Windows 2000 domain computers that you can
logon to as a domain administrator and use it to

modify
the problem policy

from that computer. My guess is that the change was made in Domain
Controller Security Policy under security settings/local policies/user
rights. Look at the two user rights for logon locally and deny logon
locally. By default administrators is in the logon locally for domain
controllers and the deny logon locally is defined but empty. If there is
more than one GPO in the domain controller container you will need to
check
them all for those user rights. Adminpak is on the server install disk in
the I386 folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;216999

message
Whew! Where to begin. The machine in question is the lone
DC in a single AD domain. I do have another server that I
work on that is beiing replicated to though(I

think).

All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them will log
in. I first noticed the problem over the past

weekend

when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the

GPO

that
I screwed with was the one for the DC's as the one for the
domain is and has been disabled for some time. I

have

been
able to connect to the AD users & computers through my PC
(server #2)and the log on locally has all the users and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app that
wouldn't start it's engine so I thought that the log on
parameters were the place to go. I have since uninstalled
the app, which BTW was never on the DC. So are you saying
that with the SeInteractiveLogonRight app, I just need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the affected
server over the network?? OK, I just tried that and it
obviously went through it's process and returned to the
prompt. I tried logging in to the server and still got the
same message. I may have also changed something inside
the control panel>administrative tools>local security
setings on the effected server and for sure on

server

#2
(where the P.O.S. application had been installed). I had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top of
the window. Would changes made on a sever that is being
replicated to, replicate back to the DC?

I'm at my wits end on this. Any other suggestions would be
greatly appreciated.

Dave
-----Original Message-----
Dave

If your saying you cannot logon to anything in the domain
that is another
story with a whole lot of different questions attached
you state Server in
the subject but
is this server a DC or Member server, is it the

only

DC,
what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the
questions will start from
there.

else I am assuming that your talking 1 server affected
under a GPO change
and the SeInteractiveLoginRight has been removed from
some group such as
Administrators or Everyone (quite common that's why Joe
did the tool) and
you have workstation access with network access or
another server to login
to.

If this is the case then you just point the exe at the
problem machine and
input the details.
(Hint Try a local admin account on a machine if the
domain account cannot
login, then run the cmd prompt using "run as" and input
your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS
connection to the
server and login that way, if you normally TS on for
access then try the
console.)

So say server 1 is the problem in domain 1 for

admin1

and
he gets the error
trying to logon
open a command prompt on a workstation on the domain that
has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the
resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed)
September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\] Account>
[TargetMachine]
Will set SeInteractiveLogonRight for account on
targetmachine
Will clear SeDenyInteractiveLogonRight for
account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT
joehome\$jricha34 pro2


If this is not the case then post back with some specific
details on the
situation, the lists are good but my crystal ball is on
the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV
message
Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment.

If

I
can't logon, how do I do that?

Dave
-----Original Message-----
Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the win32 c++
tools page have a
read then run it and your good to go

rgds
Steve



message
Restart the computer into DS restore mode. Try to
change local GPO, or try
to change it from another computer.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Dave W" <[email protected]> skrev
i
meddelandet
Some changes were made to group policy

several

days
ago
and something musta got screwed up because I cannot
log
back in now that I have logged out. I get the
following
message after the failed login: "the local policy
of
this
system does not permit you to logon interactively"
Is there anything that I can do?




.



.





.

.

 

[Dave W]

A new problem has arisen, I believe because I ran that
little app from the command prompt, I cannot start my
exchange system manager now. I get the following
error: "Facility Win32, I.D. No. 8007203b Exchange System
Manager" I looked it up on the MS KB and it said to restrt
the Kerberos service in the services. I did, and it didn't
help. I think I wiped out some sort of authentication for
the exchange services by runing it. Is there some way to
revert, or undo, what I did?

Dave

-----Original Message-----
Great glad your back in to the server.

Sorry did slip with the extra s on Administrator my fault.
Rgds
Steve

Good News! For whatever reason I was just able to log on
to that server. Through the network I was able to change
the administrator's p/w from ******* to blank, but that
was like hours ago and it wouldn't let me in all morning
(after trying as many things as I did, I won't be able to
determine for certain what the problem was)I'll betcha
that I'll be able to connect from home tonight through
term/serv's too. Just want to thank everyone that tried to
help.

Dave

-----Original Message-----
Still can't logon to that machine. I ran the
SeInteractiveLogonRight app again and got an error msg
this time. In your post you spelled out the command
as "SeinteractiveLogonRight DomainName\Administrators
ServerName". Is "administrators" literal, including the
pluralization? Anyways, I do have the Administrative Tools
on my Program Menu (on my server#2) so I am able to access
the controls for the domain Contrioller (server#1). I have
checked the GPO for the DC group and it is exactly as I've
been told to set it(enable but don't specify for the "deny
logon" and the "logon locally" has the administrator (as
well as quite a few others in it). At the moment it's not
a crisis, but I can see that happening at some point. Our
Exchange server is on that server. I can access various
file and folders through the Network Neighborhood as well.
That includes the "sysvol" share and others. II have even
tried disabling all of the policies .
-----Original Message-----
Dave
Other Steve here
how are you doing on this at present ? have you managed
to get to the policy
yet?

Your correct on the operation of the tool open the cmd
prompt on the
directory it resides and run it

so to grant the Administrator Group the local logon right
just type
SeinteractiveLogonRight DomainName\Administrators
ServerName
this would clear the local settings in the local security
policy on the
server

If you have changed the default domain controllers policy
then as Steve L states use the adminpak on another
machine to change that
policy as well.

rgds
Steve


"Steven L Umbach" <[email protected]>
wrote in message
Install Adminpak on one of your Windows 2000 domain
computers that you can
logon to as a domain administrator and use it to modify
the problem policy
from that computer. My guess is that the change was
made in Domain
Controller Security Policy under security
settings/local policies/user
rights. Look at the two user rights for logon locally
and deny logon
locally. By default administrators is in the logon
locally for domain
controllers and the deny logon locally is defined but
empty. If there is
more than one GPO in the domain controller container
you will need to
check
them all for those user rights. Adminpak is on the
server install disk in
the I386 folder. --- Steve

http://support.microsoft.com/default.aspx? scid=kb;en-
us;216999

message
Whew! Where to begin. The machine in question is the
lone
DC in a single AD domain. I do have another server
that I
work on that is beiing replicated to though(I think).
All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them
will log
in. I first noticed the problem over the past weekend
when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the GPO
that
I screwed with was the one for the DC's as the one
for the
domain is and has been disabled for some time. I have
been
able to connect to the AD users & computers through
my PC
(server #2)and the log on locally has all the users
and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app
that
wouldn't start it's engine so I thought that the log
on
parameters were the place to go. I have since
uninstalled
the app, which BTW was never on the DC. So are you
saying
that with the SeInteractiveLogonRight app, I just
need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the
affected
server over the network?? OK, I just tried that

and
it

obviously went through it's process and returned to
the
prompt. I tried logging in to the server and still
got the
same message. I may have also changed something
inside
the control panel>administrative tools>local security
setings on the effected server and for sure on server
#2
(where the P.O.S. application had been installed). I
had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top
of
the window. Would changes made on a sever that is
being
replicated to, replicate back to the DC?

I'm at my wits end on this. Any other suggestions
would be
greatly appreciated.

Dave
-----Original Message-----
Dave

If your saying you cannot logon to anything in the
domain
that is another
story with a whole lot of different questions attached
you state Server in
the subject but
is this server a DC or Member server, is it the only
DC,
what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the
questions will start from
there.

else I am assuming that your talking 1 server affected
under a GPO change
and the SeInteractiveLoginRight has been removed from
some group such as
Administrators or Everyone (quite common that's why
Joe
did the tool) and
you have workstation access with network access or
another server to login
to.

If this is the case then you just point the exe at the
problem machine and
input the details.
(Hint Try a local admin account on a machine if the
domain account cannot
login, then run the cmd prompt using "run as" and
input
your domain account
details)
(Hint 2 is it a server in remote admin mode then try
TS
connection to the
server and login that way, if you normally TS on for
access then try the
console.)

So say server 1 is the problem in domain 1 for admin1
and
he gets the error
trying to logon
open a command prompt on a workstation on the domain
that
has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the
resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed)
September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]
Account>
[TargetMachine]
Will set SeInteractiveLogonRight for account
on
targetmachine
Will clear SeDenyInteractiveLogonRight for
account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT
joehome\$jricha34 pro2


If this is not the case then post back with some
specific
details on the
situation, the lists are good but my crystal ball is
on
the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV
in
message
Thanks, but how do I "use" it? It's a little exe
that
apparently must be run in a windows environment. If
I
can't logon, how do I do that?

Dave
-----Original Message-----
Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the
win32 c++
tools page have a
read then run it and your good to go

rgds
Steve



message
Restart the computer into DS restore mode.

Try
to

change local GPO, or try
to change it from another computer.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
--------------------------------------------- ---
http://www.chrisse.se - Active Directory Tips

"Dave W"

skrev
i
meddelandet
[email protected]...
Some changes were made to group policy several
days
ago
and something musta got screwed up because I
cannot
log
back in now that I have logged out. I get the
following
message after the failed login: "the local
policy
of
this
system does not permit you to logon
interactively"
Is there anything that I can do?




.



.





.

.

.

 

[Andrew Mitchell]

A new problem has arisen, I believe because I ran that
little app from the command prompt, I cannot start my
exchange system manager now. I get the following
error: "Facility Win32, I.D. No. 8007203b Exchange System
Manager" I looked it up on the MS KB and it said to restrt
the Kerberos service in the services. I did, and it didn't
help. I think I wiped out some sort of authentication for
the exchange services by runing it. Is there some way to
revert, or undo, what I did?

Your exchange service is probably authenticating using the Administrator
account, for which you have changed the password.
Go into your services in computer management and tell the exchange service to
use the new password.

 

[Dave W]

I couldn't get into the AD Users & computers or AD sites &
services and domains & trusts etc, etc. Fortunately, I was
able to connect to those through servver #2 and I
reconnected to the primary server through the AD domains &
trusts and redid the Operations master and that seemed to
solve the problem. WHEW!!!! Thanks and I hope that's all.

Dave