Loca Administrator "locked out"

[OxygeN]

Hello all.
I got a "nice" problem here: one of my Win2k (SP4) PCs has the local
Administrator account "locked out" by means of the PCs local policies
(the parameter "Deny logon locally" has been set with "Administrator").
Now, the sad part of this all is the fact that *no other* account is
member of "Administrators" local group.
So, I can't "administer" that PC anymore.
The PC is a domain member (Win2k domain), so maybe there's some "trick"
or "workaround" to fix this situation?

Many thanks in advance.

 

[Miha Pihler [MVP]]

Hi,

Since this server is part of domain create new OU (e.g. Temp OU) and create
new policy on this OU that will override local policy (e.g. make sure that
in this policy local administrator is _not_ part of "Deny logon locally").
Move the computer account to this Temp OU and reboot Windows 2000 server and
wait for it to refresh the policy.

 

[OxygeN]

Miha Pihler [MVP] ha scritto:

Hi,

Since this server is part of domain create new OU (e.g. Temp OU) and create
new policy on this OU that will override local policy (e.g. make sure that
in this policy local administrator is _not_ part of "Deny logon locally").
Move the computer account to this Temp OU and reboot Windows 2000 server and
wait for it to refresh the policy.

It's not a "server" having this trouble, instead it is a client PC.
Now, I've created a "temp" OU and created a GP on it. In this GP, I've
set "Deny logon locally" to be *enabled* but also *empty*. At the end,
I've put the Computer account into that OU and rebooted it.

Any other things I would have to do?

 

[OxygeN]

OxygeN ha scritto:

It's not a "server" having this trouble, instead it is a client PC.
Now, I've created a "temp" OU and created a GP on it. In this GP, I've
set "Deny logon locally" to be *enabled* but also *empty*. At the end,
I've put the Computer account into that OU and rebooted it.

I've forgot to mention that NOTHING changed: I still can't log on with
the local administrator account. Is this because of the Local Policy
being applied *before* the Group Policy, and thus clearing the expected
result?

 

[Miha Pihler [MVP]]

Hi,

Put another user (do not put Administrator account or any group) into the
policy "Deny Logon Locally". This will override existing settings next time
the policy is refreshed. You can reboot the computer few times to speed up
the refresh process.

 

[OxygeN]

Miha Pihler [MVP] ha scritto:

Hi,

Put another user (do not put Administrator account or any group) into the
policy "Deny Logon Locally". This will override existing settings next time
the policy is refreshed. You can reboot the computer few times to speed up
the refresh process.

Seems to be leading nowhere! :-/
I've put a domain user (which is *not* the Admin User) into the GPO,
which apparently should overwrite the Local Setting, right?
Well, I then logged off and tried to log on as "Local Admin", but I'm
still locked out.

 

[Miha Pihler [MVP]]

Hi,

Do you know exactly which user or group did you put into the policy?
Do you exactly which policy did you change?

What is the exact error that you get when you try to logon?

Do you have any local administrator accounts that you can use to logon?

 

[OxygeN]

Miha Pihler [MVP] ha scritto:

Hi,

Do you know exactly which user or group did you put into the policy?

If you're asking about the "Local Policy" of the client PC, I put into
the "Deny logon locally" only the local "Administrator" account.
If you're asking about the GPO in AD, applied to the special OU in which
I put *just* this only client, I put in the "Deny logon locally" policy
the user "DOMAIN\diego" (a random one, but still an existing and active
account).

Do you exactly which policy did you change?

Yes, as from above: "Deny logon locally" (on the clients' local policies)...

What is the exact error that you get when you try to logon?

I don't remember the exact text message, but it states that the account
cannot logon (Administrator on (Local Computer))...

Do you have any local administrator accounts that you can use to logon?

No, I haven't. Otherwise I wouldn't be posting here... :-/

Any other clues to solve this mismatch?

 

[Miha Pihler [MVP]]

Hi,
In this case you should be able to logon with domain administrator
account... Still you can try this.

Create new user account in domain (temp_user). Add it to Domain
Administrator group. Now reboot your Windows 2000 PC and try logging on with
this new Domain Administrator account...

Once logged on change the policy. Don't forget to delete temp_user.

 

[Paul Adare]

microsoft.public.win2000.security news group, Miha Pihler [MVP] <mihap-
(e-mail address removed)> says...

Hi,

Put another user (do not put Administrator account or any group) into the
policy "Deny Logon Locally". This will override existing settings next time
the policy is refreshed. You can reboot the computer few times to speed up
the refresh process.

Sorry to contradict you here Mike, but this simply won't work. the Allow
and Deny Logon locally policies are cumulative which means both the
local settings and any domain based GPO settings are combined.

Your suggestion later in this thread about logging on with an account
that is a member of Domain Admins should work, assuming that Domain
Admins is still a member or the local Administrators group and that is
indeed the account Administrator that has been denied the logon locally
right and not the Administrators group.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

 

[OxygeN]

Paul Adare ha scritto:

Sorry to contradict you here Mike, but this simply won't work. the Allow
and Deny Logon locally policies are cumulative which means both the
local settings and any domain based GPO settings are combined.

I noticed this behaviour, because I didn't get any positive results
while adding a "random" user to that policy: Administrator STILL can't
logon.

Your suggestion later in this thread about logging on with an account
that is a member of Domain Admins should work, assuming that Domain
Admins is still a member or the local Administrators group and that is
indeed the account Administrator that has been denied the logon locally
right and not the Administrators group.

I'm sorry, but as I believe to have mentioned before: the SAD thing is
that no "Domain Admins" group is part of the local Administrators
group.. :-/

I guess my only solution is to reinstall Win2k, or what do you think?

Regards,
OxygeN

 

[Steven L Umbach]

What Mike originally suggested should work but I would also add users and/or
administrators to the logon locally user right in the GPO linked to the OU
where you moved the computer. If that is not working then you have a problem
with Group Policy applying for various reasons to that computer which may
show up as userenv errors/warnings in the application log that you should be
able to view remotely or while logged on as a regular user account. It may
also help to view the security logs on that computer to see what the failed
logons say and you can do that remotely via Computer Management - other
computer. If all fails what may work to undo a Local Security Policy user
right problem is to copy the \winnt\repair\security file to the
\winnt\system32\config folder after renaming the security file there first.
You would have to do that outside of the operating system by placing the
hard drive in another computer as a secondary/slave drive or booting with
something like Bart's PE. --- Steve

 

[Steven L Umbach]

Forgot to add that you can manage local user rights remotely via the RK tool
ntrights assuming that an administrator has network connectivity to the
server as would be demonstrated by the ability to access an administrative
share such as C$. The links below explain more and beware that the privilege
used with ntrights is case sensitive. In your case I would be sure to revoke
SeDenyInteractiveLogonRight for at least administrators and administrator
and add SeInteractiveLogonRight for administrators. If that does not work
try revoking SeDenyInteractiveLogonRight for users, everyone, authenticated
users, and domain users. --- Steve

http://www.petri.co.il/download_free_reskit_tools.htm --- download ntrights
here
http://support.microsoft.com/kb/279664/EN-US/