Question about Log on Locally Policy.

[Adam Sandler]

Hello,

This thread is about a W2K member server.

I had to recover from a failure on one of my domain's boxes the other
day. I reloaded the image I had of the fully configured box. What I
forgot to realize is the security guys went through and changed whio
can log on locally...

After the image was sucessfully restored, I tried to logon to the
domain but got a message the domain wasn't available.

So I then tried to log on as the local admin and got the error stating
the policy of the machine does not permit interactive logon.

So it looks like I'm stuck... I cannot contact the domain and I cannot
logon with a local account because the image captured the effective
setting from the DC regarding who can and cannot log on locally.

I do have a offline registry editor program but I have no idea if this
policy is even stored in the registry... does anyone know?
Are there any other tools that could help me out too?

Thanks!!!

 

[Steven L Umbach]

Interesting as by default administrators group has logon locally user right.
The easiest thing to try would be to use ntrights to add the administrators
to the logon locally user right. Not knowing if there are entries in the
deny logon locally user right and the fact that it may have overriding
policy from the domain can complicate things. If you can access the computer
via an administrative share you may have a good change to correct things and
them you might be able to use Computer Management to remotely view it's
Event Viewer. If can not even access an administrative share, your changes
of correcting things are not good. Assuming you can, you could also use
psexec from SysInternals to access the command prompt on that computer to
check network configuration, run netdiag, etc. Netdom might be used to try
and join the computer to the domain or repair the secure channel. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;266280 -- note that
the user right is case sensitive in the command
http://www.petri.co.il/download_free_reskit_tools.htm --- Ntrights
available here
http://www.sysinternals.com/ntw2k/freeware/psexec.shtml -- Psexec.
http://support.microsoft.com/kb/216393/EN-US/ -- netdom info

 

[Adam Sandler]

Steve, thanks for your reply.

After the system was first built, the security folks applied a NSA
tempate against it. It is very restrictive... almost to the point of
making the box not usable if you ask me. At any rate, I then made and
image of the final configuration. The system state at that time was an
effective setting of only let domadmins log on locally.

Now, fast forward to me recovering from image. For some reason the box
isn't seeing the domain. Which shouldn't really be no big deal... but
that does mean I cannot logon as a domadmin. But because of the
image-captured, effective group policy setting, this box still believes
it can only allow domadmins to log on locally.

If I'm reading your post correctly, the solutions you suggest imply I
have access to the desktop. I cannot get to the desktop because
without the box recognizing the domain I cannot logon as domadmin and I
cannot use any of the local accounts because they are prevented from
doing so becuase of the GP. I'm not sure how telneting into the box
would work because how would I access the Group Policy remotely? I
have a linux boot disk which gives me access to SAM and the registry
but I don't know if or where the GP for log on locally is located there.

 

[Steven L Umbach]

I understand that you can not logon locally. I was suggesting methods that
might be able to be used remotely such as using Ntrights from another
computer on the network for which you would have to create an account so
that you can logon to the remote computer with username/password that is the
built in administrator account on the locked out machine. Hopefully you can
do that. If you can you can do all those tasks I suggested remotely
including using psexec to check the tcp/ip configuration [such as incorrect
dns server] and running netdiag that might explain why you are having a
problem with the domain controller such as a dns or secure channel problem.
I would also try using Computer Management from a remote computer and then
select "connect to other computer" to try and view the System and
Application logs to see if any pertinent problems can be found. If you can
not access the computer by it's name then try to use it's IP address. You
might be able to use netdom to fix domain related problems for your locked
out computer. I also assume you rebooted it after restoring the image. ---
Steve

 

[Roger Abell [MVP]]

IIRC at one version the NSA guide recommended that the
built-in Adminsitrator account be renamed.
It is very possible that you only need to know the correct
account - unless you have already verified that Administrator
does have network access. The next issue is whether the
image was configured with AD based GPO or whether the
NSA guidelines were applied to the local policies, in which
event use of the group policy snapin over the network should
let you loosen it enough for local login and domain dis/rejoin.