Admin user account locked out - need help!

[Guest]

While I was fooling around with the local security policies, I foolishly
added the administrator account to the deny log on locally user right. The
machine is networked with a server 2003 computer, and I was trying to
override the local security policy by placing the XP computer account in an
OU and linking it with a GPO with a domain security policy that gives the
adminster account the log on locally user right. But in moving the computer
account to the OU I lost the secure connection between server and client.
Now I don't have administrative rights to rejoin the computer to the domain.
I can access the XP computer with a limited user account, and there is
another local administrator account, but I can't for the life of me remember
the password, and I didn't create a password reset disk.

Is there any way I can recover the default Administrator account? Is there
any way I can restore the default local security policies even though I don't
have administrator privileges?

 

[Steven L Umbach]

There are a couple ways to work around your problem and probably the easiest
is to use the Resource Kit tool NTRights to remove administrator and/or
administrators from the user right for deny logon locally
[SeDenyInteractiveLogonRight]. You will need network access for file and
print sharing to the locked out computer from another computer and logon to
the remote computer where you will run the command as a user that is
administrator on the locked out computer. Another possibility is to use
psexec from SysInternals/Microsoft to gain access to the command prompt over
the network on the locked out computer and use the secedit command to reset
user rights to default defined levels as described in the KB article below
and appending areas /user_rights to the end of the command to only reset
user rights.

ntrights -u administrator -m \\computername SeDenyInteractiveLogonRight -r

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 --- using
secedit to reset security settings in XP
http://www.petri.co.il/download_free_reskit_tools.htm --- download
ntrights here
http://support.microsoft.com/?id=279664 --- NTRights and note that the
syntax IS case sensitive
http://www.sysinternals.com/Utilities/PsExec.html --- psexec

 

[Guest]

This is probably a stupid question, but when you say another computer, are
you refering to another computer besides the domain controller or the
workstation? If so, I'll need to borrow one from a friend. As for the
SeDenyInteractiveLogonRight, is that in the context of one of the other
commands? I downloaded ntrights (along with a bunch of other administrative
utilities) for 2003 from the windows website because the link you've provided
might have become stale. When I type /? to view a list of the commands and
switches on the ntrights utility I see:

SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege

So is the SeDenyInteractiveLogonRight in the context of one of these
commands, or have I downloaded the wrong version?

Also, I tried the psexec approach but was unable to open the command prompt
on the remote computer that is locked out. I received the message, "The
trust relationship between this workstation and the primary domain failed."
I think I need to change the workstation to reside on a workgroup and then
rejoin it to the domain in order to recreate this trust, but I don't have
administrative privileges to do this.
I don't know the password for either of the local administrator accounts
that I created. I can only logon as a limited user.

Do you have any more advice?

I appreciate you helping me out of the ridiculous predicament I seem to have
put myself in.

There are a couple ways to work around your problem and probably the easiest
is to use the Resource Kit tool NTRights to remove administrator and/or
administrators from the user right for deny logon locally
[SeDenyInteractiveLogonRight]. You will need network access for file and
print sharing to the locked out computer from another computer and logon to
the remote computer where you will run the command as a user that is
administrator on the locked out computer. Another possibility is to use
psexec from SysInternals/Microsoft to gain access to the command prompt over
the network on the locked out computer and use the secedit command to reset
user rights to default defined levels as described in the KB article below
and appending areas /user_rights to the end of the command to only reset
user rights.

ntrights -u administrator -m \\computername SeDenyInteractiveLogonRight -r

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 --- using
secedit to reset security settings in XP
http://www.petri.co.il/download_free_reskit_tools.htm --- download
ntrights here
http://support.microsoft.com/?id=279664 --- NTRights and note that the
syntax IS case sensitive
http://www.sysinternals.com/Utilities/PsExec.html --- psexec

While I was fooling around with the local security policies, I foolishly
added the administrator account to the deny log on locally user right.
The
machine is networked with a server 2003 computer, and I was trying to
override the local security policy by placing the XP computer account in
an
OU and linking it with a GPO with a domain security policy that gives the
adminster account the log on locally user right. But in moving the
computer
account to the OU I lost the secure connection between server and client.
Now I don't have administrative rights to rejoin the computer to the
domain.
I can access the XP computer with a limited user account, and there is
another local administrator account, but I can't for the life of me
remember
the password, and I didn't create a password reset disk.

Is there any way I can recover the default Administrator account? Is
there
any way I can restore the default local security policies even though I
don't
have administrator privileges?

 

[Steven L Umbach]

It should work with SeDenyInteractiveLogonRight but since you do not know
the credentials for a local administrator account then that will not help
though you can reset the password to gain access if you are authorized to
with the help of info in the link below. You would want to specify the name
of the locked out computer running the ntrights command on another computer
on your network while logged on a user account that is a local
administrator of the locked out computer.

http://www.petri.co.il/forgot_administrator_password.htm

Since it is a domain computer what also should work is create an
Organizational Unit with a Group Policy linked to it that has the user right
for deny logon locally defined but blank [computer configuration/Windows
settings/security settings/local policies/user rights] or with an account
such as guest listed. Then you could use Active Directory Users and
Computers to move the computer account of the locked out computer into that
OU and then reboot it. Then the domain level setting for that user right
should override the setting in Local Security Policy. However it may not
work because of the message you got about the trust relationship having
failed.

If nothing seems to work you could try copying the security file from the
\windows\repair folder to the \windows\system32\config folder after renaming
the security file in that folder. You can not do that while the operating
system is running in normal mode but could possibly do it while using
Recovery Console.

Steve

http://support.microsoft.com/kb/314058/ --- XP Recovery Console

This is probably a stupid question, but when you say another computer, are
you refering to another computer besides the domain controller or the
workstation? If so, I'll need to borrow one from a friend. As for the
SeDenyInteractiveLogonRight, is that in the context of one of the other
commands? I downloaded ntrights (along with a bunch of other
administrative
utilities) for 2003 from the windows website because the link you've
provided
might have become stale. When I type /? to view a list of the commands
and
switches on the ntrights utility I see:

SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege

So is the SeDenyInteractiveLogonRight in the context of one of these
commands, or have I downloaded the wrong version?

Also, I tried the psexec approach but was unable to open the command
prompt
on the remote computer that is locked out. I received the message, "The
trust relationship between this workstation and the primary domain
failed."
I think I need to change the workstation to reside on a workgroup and then
rejoin it to the domain in order to recreate this trust, but I don't have
administrative privileges to do this.
I don't know the password for either of the local administrator accounts
that I created. I can only logon as a limited user.

Do you have any more advice?

I appreciate you helping me out of the ridiculous predicament I seem to
have
put myself in.

There are a couple ways to work around your problem and probably the
easiest
is to use the Resource Kit tool NTRights to remove administrator and/or
administrators from the user right for deny logon locally
[SeDenyInteractiveLogonRight]. You will need network access for file and
print sharing to the locked out computer from another computer and logon
to
the remote computer where you will run the command as a user that is
administrator on the locked out computer. Another possibility is to use
psexec from SysInternals/Microsoft to gain access to the command prompt
over
the network on the locked out computer and use the secedit command to
reset
user rights to default defined levels as described in the KB article
below
and appending areas /user_rights to the end of the command to only reset
user rights.

ntrights -u administrator -m \\computername
SeDenyInteractiveLogonRight -r

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 --- using
secedit to reset security settings in XP
http://www.petri.co.il/download_free_reskit_tools.htm --- download
ntrights here
http://support.microsoft.com/?id=279664 --- NTRights and note that the
syntax IS case sensitive
http://www.sysinternals.com/Utilities/PsExec.html --- psexec

While I was fooling around with the local security policies, I
foolishly
added the administrator account to the deny log on locally user right.
The
machine is networked with a server 2003 computer, and I was trying to
override the local security policy by placing the XP computer account
in
an
OU and linking it with a GPO with a domain security policy that gives
the
adminster account the log on locally user right. But in moving the
computer
account to the OU I lost the secure connection between server and
client.
Now I don't have administrative rights to rejoin the computer to the
domain.
I can access the XP computer with a limited user account, and there is
another local administrator account, but I can't for the life of me
remember
the password, and I didn't create a password reset disk.

Is there any way I can recover the default Administrator account? Is
there
any way I can restore the default local security policies even though I
don't
have administrator privileges?