2003 change logon locally settings now problems!

  • Thread starter Thread starter Leythos
  • Start date Start date
L

Leythos

I change the logon locally settings and included the "administrator"
user, "administrators" group, and a couple other, including one generic
User.

When I did a gpupdate /force it told me to logout, I did, now when I log
back in it gets as far as "applying your settings" and never makes it
past that to the desktop.

Any ideas, other than restoring a tape backup, on how to fix this?
 
(Re)Configure the GPO from another PC...

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________
I change the logon locally settings and included the "administrator"
user, "administrators" group, and a couple other, including one generic
User.

When I did a gpupdate /force it told me to logout, I did, now when I log
back in it gets as far as "applying your settings" and never makes it
past that to the desktop.

Any ideas, other than restoring a tape backup, on how to fix this?
 
(Re)Configure the GPO from another PC...
Click to expand...

Since it's the only DC in the group, how would I do that? I can't even
TS into the server as Administrator at this time.

Mark
 
On Tue, 29 Jun 2004 23:39:40 GMT, Leythos spoketh
Since it's the only DC in the group, how would I do that? I can't even
TS into the server as Administrator at this time.

Mark
Click to expand...

Can you get to the event logs from another computer? That might give you
some clues as to what's going on...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
 
On Tue, 29 Jun 2004 23:39:40 GMT, Leythos spoketh


Can you get to the event logs from another computer? That might give you
some clues as to what's going on...
Click to expand...

Yea, this is going to suck real bad. I may be able to log on as Admin at
another machine, but even another DC (different domain) can't open the
GP on that machine.

I'll go to the office on Wed and reboot the server, maybe I can get in
after that.
 
Hi

Is this a DC? If so, try this:

1. On a different machine that you can log onto, open MMC and add the
Computer Management snapin and point it at the problem DC.

2. Enable and start the telnet service.

3. Telnet into this machine.

4. Apply the setup security policy:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose

5. Reboot and attempt to log on.

6. Once you're successfully logging in, set up the appropriate environment
variable as per:

250454 You receive the "The data is invalid" error message when you try to
http://support.microsoft.com/?id=250454

7. Apply the Basic DC security policy:

secedit /configure /cfg %windir%\repair\basicdc.inf /db basicdc.sdb
/verbose

Hope that helps.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi again

Almost forgot. Turn telnet back off when you're done :)

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Mark Renoden said:
Hi

Is this a DC? If so, try this:

1. On a different machine that you can log onto, open MMC and add the
Computer Management snapin and point it at the problem DC.

2. Enable and start the telnet service.

3. Telnet into this machine.

4. Apply the setup security policy:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose

5. Reboot and attempt to log on.

6. Once you're successfully logging in, set up the appropriate environment
variable as per:

250454 You receive the "The data is invalid" error message when you try to
http://support.microsoft.com/?id=250454

7. Apply the Basic DC security policy:

secedit /configure /cfg %windir%\repair\basicdc.inf /db basicdc.sdb
/verbose

Hope that helps.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.
Click to expand...
 
Hi

Is this a DC? If so, try this:
Click to expand...

This is the only 2003 server in the company - and it's the one that
everyone connects to.
1. On a different machine that you can log onto, open MMC and add the
Computer Management snapin and point it at the problem DC.
Click to expand...

Ok, from a XP Pro machine, Domain member, I will open it.
2. Enable and start the telnet service.

3. Telnet into this machine.
Click to expand...

So, start the telnet service on the DC using the CM snapin.

4. Apply the setup security policy:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose
Click to expand...

Ok, so, from the telnet session, I run the above command.
5. Reboot and attempt to log on.

6. Once you're successfully logging in, set up the appropriate environment
variable as per:

250454 You receive the "The data is invalid" error message when you try to
http://support.microsoft.com/?id=250454
Click to expand...

Do you know, even after reading it, if this is going to trash all my
users and permissions that we've setup on shares and such?
7. Apply the Basic DC security policy:

secedit /configure /cfg %windir%\repair\basicdc.inf /db basicdc.sdb
/verbose
Click to expand...

Do you know, even after reading it, if this is going to trash all my
users and permissions that we've setup on shares and such?

Hope that helps.

Kind regards
Click to expand...

If this works I will owe you a big one, this may just save doing a full
restore.
 
Hi

It's not going to break permissions on folders that are non-default. It
resets a lot of registry keys and file/folder permissions to the default DC
install. It also resets event log settings like log size etc and the
specific security settings you're probably in trouble with. To completely
understand what these are going to do, open the .inf files in notepad and
take a look.

To answer your questions:

Yes, you enable telnet via the Computer Management snapin while it's
pointing to the problematic DC.

Yes, you execute the secedit command from the telnet session.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi

It's not going to break permissions on folders that are non-default. It
resets a lot of registry keys and file/folder permissions to the default DC
install. It also resets event log settings like log size etc and the
specific security settings you're probably in trouble with. To completely
understand what these are going to do, open the .inf files in notepad and
take a look.

To answer your questions:

Yes, you enable telnet via the Computer Management snapin while it's
pointing to the problematic DC.

Yes, you execute the secedit command from the telnet session.
Click to expand...

Thanks for the response - I will be testing this today, early.
 
Hi

It's not going to break permissions on folders that are non-default. It
resets a lot of registry keys and file/folder permissions to the default DC
install. It also resets event log settings like log size etc and the
specific security settings you're probably in trouble with. To completely
understand what these are going to do, open the .inf files in notepad and
take a look.

To answer your questions:

Yes, you enable telnet via the Computer Management snapin while it's
pointing to the problematic DC.

Yes, you execute the secedit command from the telnet session.
Click to expand...

I followed all the steps, 1..6 without problem, when I got to step 7
there were no basicdc files in that folder. Now, don't worry, everything
seems to be working. The "allow to logon locally" also seems to work and
it even retained the settings I had already placed in it just before the
crash.

As far as I can tell things are working fine - I've rebooted several
times and checked the event logs and other than MAS200 failing to load,
which was a new install before the problem and never tested on reboot,
it all seems to be working.

Thanks for your great assistance and help.
 
Hi again

Try applying Defltdc.inf instead of Basicdc.inf. Make sure you create the
environment variables as per the KB I mentioned. You want to apply a policy
that sets some DC defaults.

Glad to have helped.
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi again

Try applying Defltdc.inf instead of Basicdc.inf. Make sure you create the
environment variables as per the KB I mentioned. You want to apply a policy
that sets some DC defaults.
Click to expand...

Mark - I did set the environmental variables - they were not present
when I started (I checked) and it's working fine.

As for the Defltdc.inf, it does not appear that I need it - all of the
DC rules/settins I created using the MMC snap-ins appear to be there
already.

For what it's worth, all of the functions seem to work, no errors in any
place in the event logs, DNS, DHCP, Users, Profiles, redirected folders,
trusts with other domains, etc... They all appear to be working.

I'll check for the default file, assuming that I find it, and assuming
I'm missing something, would the command (on 2003) be as follows:

secedit /configure /cfg %windir%\repair\Defltdc.inf /db Defltdc.SDB
/verbose

Notice that I replaced the basic with deflt and still used the SDB
extension on the final argument.

Thanks again,
Mark
 
Hi

That'd be it.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Mark - I have another question, if you have time, please:

I want to create a user that can log onto the server, control all
services, install/uninstall, but has no access to anything other than
the server. They should not be able to create users, delete users, and I
will have to modify permissions in some folders to keep them out.

Reason for this strange request: We have a accounting package called
MAS200, it runs as a service. The company that sold it to the company I
support has asked for remote access to the server. I configured the
firewall to permit them to VPN into the firewall and then only have
access to the Server. In order for them to log on to the server and work
with services I granted them "Server Operator" membership, but I'm not
sure that it provides the limitations I want. I have them setup
currently and they can TS into the server, but I'm wondering what others
do in this type of situation?

That was the reason I started messing with the allow local logon, but, I
burned myself on that one - I rebooted a test station and any new user
that attempted to log on to it was restricted from logon by policy -
removal of the "allow local logon" settings and rebooting the
workstation permitted them to log on (test account).

So, any ideas, or am I just trying to lock a remote-support team down to
tightly while giving them enough to do their work?
 
Hi

Not sure there's a straight forward solution. Why does this software need
to run on a DC? If it could be run elsewhere on a member server, you may
not need the level of granularity you're trying to get.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Deny logon locally 1
Trying to create mandatory profiles.... 6
Crashed Controller, Recreated, Logon Problems 3
Error "the local policy of this system does not permit.. 3
local logon on member servers 1
Slow AD logon if username longer than 8 chars 16
Local admin privileges gone haywire 1
Deny Logon Locally 6

Back
Top