LDAP work after demotion

[Guest]

I demote a server to the member server of a domain.

But the LDAP service is still runing and the local administrator account cannot login.
The error is told: The local policy does not permit to logon.

But in the local policy th logon localy right is enabled to local admin account.

If connect to the mashine with ADSI editor under the NC= node there is only one O=... object

I think the demotion was failed, but I dont know how can remove all AD service or component from th server.

Thanks

 

[Tim Springston [MSFT]]

Hi Krisztian-

How did you check the log on locally right? What groups were listed in the
Effective column for that right in SECPOL.MSC?
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

I demote a server to the member server of a domain.

But the LDAP service is still runing and the local administrator account cannot login.
The error is told: The local policy does not permit to logon.

But in the local policy th logon localy right is enabled to local admin account.

If connect to the mashine with ADSI editor under the NC= node there is only one O=... object

I think the demotion was failed, but I dont know how can remove all AD

service or component from th server.

 

[Guest]

Hi Tim

I check it with local security setting snap in from startmenu/administrative tolls.
I see the logon localy right in secpol.msc but there is no local or built in group in the efective policy settings. Only the localy policy settings is set.


Its looks like a domain controller's settings.

Do you have any idea?

Thanks

Krisztian

 

[Tim Springston [MSFT]]

Hi Krisztian-

Do you see a list in the Default Domain Controller Policy similar to this:

Access this computer from the network
=====================================
3 account(s) with the SeNetworkLogonRight user right:
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
BUILTIN\Administrators
NT AUTHORITY\Authenticated Users
All accounts enumerated


Logon Locally
=============
2 account(s) with the SeInteractiveLogonRight user right:
BUILTIN\Administrators
<Domain>\TsInternetUser
All accounts enumerated

If you do not, add these rights. For some of these to become active you may
need to reboot the server. Please repost if you hit any snags with that.
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Tim

I check it with local security setting snap in from

startmenu/administrative tolls.

I see the logon localy right in secpol.msc but there is no local or built

in group in the efective policy settings. Only the localy policy settings
is set.

 

[Guest]

I have problem to add this accounts.

The domain is upgraded from an NT domain, and run in mixed mode.
I cannot add an account from the builtin group, or any container what is created by the active directory setup (comuters, users) .
Can't see theese groups in the browser window when I add a new account to a specific domain policy right. Only the organizational units seen and some authority eg. BATCH CREATOR OWNER, CREATOR GROUP etc. but without any folder information. The administratoren group is not between theese accounts. :-(

The original NT domain was German so the builtin\administrator group is called administratoren :-(

If I open the Active directory users and computers the builtin container is in under the domain icon and its looks OK.

Thanks for your help.

PS: I think if I reinstall all the servers from scratch its can be good solution for all problems, but lots of pepole can have bigger problems from this