Win2K client: unable to login locally, deleted from domain

G

Guest

Using Windows 2000 Server and Windows 2000 Professional client.

We have a network where the servers are part of a domain but the clients PCs
are not. The users use applications through a Citrix server.

I had a need to map a network drive and the quickest way to do it was to
join the client PC to the domain. Copied over the files, then deleted the
computer object through the Users and Computers AD app. After that, I could
not access the client PC. Attempting to log into the local machine results
in an error to the effect of 'The local policy of this system does not allow
you to logon interactively". And, after deleting the object, a user can not
log into the domain. The PC is inaccessible.

It appears that a vendor had set a group policy to disallow local logins to
domain members except to specific users (who never had access to this client).

Last Known Configuration did not solve the problem.

So, how can I do one of two things: either A.) alter the local policy on
the client without being able to access it, or B.) rejoin the PC to the
domain so I can apply a Group Policy? Deleting or changing the SID?

No user is currently able to log in to the PC, so anything with a registry
key, or somehow capturing it with the domain controller?

Thanks!
 
A

Andrei Ungureanu

use a password reset tool ... reset the local Admin account .. logon as
Admin and disjoin the computer from the domain.
 
G

Guest

Thanks Andrei - I had tried that already. The local users are unable to
login interactively whether I know the password or not. If I use the wrong
password I get the usual user unknown error, if I use the right password I
can't logon interactively.

The local Administrator account can't even logon to its own client.

Is there a local policy key in the registry I can edit using a registry
tool? Or find and alter the SID to allow it to join the domain again?

Thanks!
Aaron
 
A

Andrei Ungureanu

boot from a cd (Windows PE, Bart PE) and rename
%systemroot%\security\database\seceedit.sdb to some other name and copy a
working version of this file from a Win2000 Pro system that do not have the
Deny Logon Locally setting applied.

I'm still not sure if it will work..
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unable to log into Win2K, local users prohibited, deleted from dom 6
child domain logging to parent domain 1
Deny logon locally 1
Need to reboot Win2K to logon locally? 4
Unable to Log on to Domain and Local Host 2
Group Policy not applying over Network to XP users 4
What's happening ? Group Policy problem 9
the local policy of this system does not allow you to login interactively 5

Top