I cant' logon to my server with an Administrator .

S

Sara

Hi everyone,

I change sth on my policy, like a month ago, and never restart my server.
when I restart my server last night, and then I cant' logon as an
administrator, since it said can't logon locally.
I can only logon to my server by using remote desktop from other machine.
I check on Default domain controller security settings, and under local
policies- users right assignment.
Allow lo on locally, I do see administrator in teh setting ?? what else
should I check from here???
Can anyone give me any advice. ? Thank you .
 
S

Steven L Umbach

If this is a domain controller you want to make sure that administrators is in the
setting for logon locally and that there is no overriding setting in deny logon
locally keeping in mind that administrators are in the users and everyone groups. I
would suggest that you define deny logon locally and add the guest account in Domain
Controller Security Policy. You should also check Local Security Policy on that
domain controller to see what the effective settings are for logon locally and deny
logon locally. If you change Domain Controller Security policy, run secedit
/refreshpolicy machine_policy /enforce on it to speed up change to local policy.

If this is not a domain controller, look in the Local Security Policy of the server
for those two user rights and configure them appropriately keeping in mind that a
higher level policy such as a GPO for the Organizational Unit that the server is in
can override the local settings and if that is the case the GPO will have to be
modified to allow local logon. --- Steve
 
S

Sara

Mine is a DC with a AD so that's no any local security policy tho.
when i open default domain security setting, then I go Local policies->User
Rights assignment-> When I define these policy settings, I click on apply ,
then it has an error msg "Administrator must be granted the logon local
rights. "
I know the "adminitrator" has a right to allow log on locally under "
Default Domain controller security settings. " what else should I check ?

Last question is that can I run Dcupdate in Win 2k3 instead of refreshpolcy
?
 
S

Steven L Umbach

There is a Local Security Policy on all domain computers, however defined settings in
Domain Controller Security Policy will override Local Security Policy defined
settings. You should also check the deny logon locally setting that can override the
logon locally setting. I would make sure it is defined with the guest account as the
sole entry in Local Security Policy. Yes gpupdate is used instead of secedit for
Windows 20033. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local administrator cannot logon locally 1
local Group Policy Administrator does can not logon local 0
Logon Locally 3
How to enforce domain policy for local user? 3
terminal server logon 3
can't logon locally 3
Allowing user to logon locally to WIndows 2003 Server 3
GPO not working for DC to logon locaally 1

Top