Using NTRIGHTS utility in Windows 2000

[Guest]

Hello. Have a user who managed to change the local policy on his PC to not
allow any interactive logon. I have tried using the NTRIGHTS utility from the
Resource kit but I constantly get the same error. Wanted to see if any one
knows what this error means and how to get arround it.

***Error*** OpenPolicy -1073741790.

Have looked on the Internet but have not found a good explanation or
solution. Any help will be appreciated.

 

[Steven L Umbach]

Can you access the C$ administrative share on his computer from another
computer on the network? That is required for using NTrights but if you can
access the administrative share there may be other ways to fix the problem
including using psexec to use a remote command line to use secedit as shown
below to reset security polices to default defined levels. If nothing seems
to help you could try a parallel install of the operating system, putting
his hard drive in another computer as slave/secondary, booting from a PE OS
such as Bart's PE, or trying Recovery Console to copy the security file from
winnt\repair to \winnt\system32\config after backing up the original
security file first.

http://www.microsoft.com/technet/sysinternals/Security/PsExec.mspx --
psexec

http://support.microsoft.com/kb/313222

 

[Guest]

Steve -

Unfortunately I can not get to the Admin share. The user reset the
local policy on this PC. I thought of the slaving concept but since I cant
get to C$ it might not work. The only thing that comes to mind would be to
boot it into F8 recovery mode and try to go in using Dos mode and see if I
can replace the files that way. Have no tried that as of yet. Thanks for your
input. If any other ideas come up by all means please share any help would be
appreciated.

 

[Steven L Umbach]

Slaving his hard drive should work. The C$ is only a network share and by
putting his hard drive in another computer you would be able to manage any
files or registry settings directly on it.

You say you can not access his C$ share over the network. Just to clarify
you would need to be logged onto another computer on the local network as a
user/password that is an administrator on the locked out computer and in the
run box of the computer you are trying to access from enter
\\computername\c$ or \\xxx.xxx.xxx.xxx\c$ where xxx.xxx.xxx.xxx is the IP of
the locked out computer. This all assumes that the locked out computer has
file and print sharing enabled, no software firewall blocking access to it,
and the user right for access the computer from the network is allowed for
the administrator account. I have had luck in the past with copying the
security file from the \winnt\repair folder to the \winnt\system32\config
folder.

Steve