Unable to log into Win2K, local users prohibited, deleted ..

G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Using Windows 2000 Server and Windows 2000 Professional client.

We have a network where the servers are part of a domain but the clients PCs
are not. The users use applications through a Citrix server.

I had a need to map a network drive and the quickest way to do it was to
join the client PC to the domain. Copied over the files, then deleted the
computer object through the Users and Computers AD app. After that, I could
not access the client PC. Attempting to log into the local machine results
in an error to the effect of 'The local policy of this system does not allow
you to logon interactively". And, after deleting the object, a user can not
log into the domain. The PC is inaccessible.

It appears that a vendor had set a group policy to disallow local logins to
domain members except to specific users (who never had access to this client).

Last Known Configuration did not solve the problem.

So, how can I do one of two things: either A.) alter the local policy on
the client without being able to access it, or B.) rejoin the PC to the
domain so I can apply a Group Policy? Deleting or changing the SID?

No user is currently able to log in to the PC, so anything with a registry
key, or somehow capturing it with the domain controller?

Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Start the computer in safe mode and edit the local policy should work.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
> Using Windows 2000 Server and Windows 2000 Professional client.
>
> We have a network where the servers are part of a domain but the clients
> PCs
> are not. The users use applications through a Citrix server.
>
> I had a need to map a network drive and the quickest way to do it was to
> join the client PC to the domain. Copied over the files, then deleted the
> computer object through the Users and Computers AD app. After that, I
> could
> not access the client PC. Attempting to log into the local machine
> results
> in an error to the effect of 'The local policy of this system does not
> allow
> you to logon interactively". And, after deleting the object, a user can
> not
> log into the domain. The PC is inaccessible.
>
> It appears that a vendor had set a group policy to disallow local logins
> to
> domain members except to specific users (who never had access to this
> client).
>
> Last Known Configuration did not solve the problem.
>
> So, how can I do one of two things: either A.) alter the local policy on
> the client without being able to access it, or B.) rejoin the PC to the
> domain so I can apply a Group Policy? Deleting or changing the SID?
>
> No user is currently able to log in to the PC, so anything with a registry
> key, or somehow capturing it with the domain controller?
>
> Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Christoffer, I had already tried starting up in Safe mode (without
networking) and still could not log in. Safe mode ran, and I got the login
box with both the domain and the local machine, local accounts gave the error
they couldn't log in interactively.

I can try it in Safe mode With networking, but I wouldnt' think that would
make a difference with the local accounts.

I somehow have to be able to get into this machine to modify the local policy!

Thanks again!
Aaron

"Chriss3 [MVP]" wrote:

> Start the computer in safe mode and edit the local policy should work.
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
> > Using Windows 2000 Server and Windows 2000 Professional client.
> >
> > We have a network where the servers are part of a domain but the clients
> > PCs
> > are not. The users use applications through a Citrix server.
> >
> > I had a need to map a network drive and the quickest way to do it was to
> > join the client PC to the domain. Copied over the files, then deleted the
> > computer object through the Users and Computers AD app. After that, I
> > could
> > not access the client PC. Attempting to log into the local machine
> > results
> > in an error to the effect of 'The local policy of this system does not
> > allow
> > you to logon interactively". And, after deleting the object, a user can
> > not
> > log into the domain. The PC is inaccessible.
> >
> > It appears that a vendor had set a group policy to disallow local logins
> > to
> > domain members except to specific users (who never had access to this
> > client).
> >
> > Last Known Configuration did not solve the problem.
> >
> > So, how can I do one of two things: either A.) alter the local policy on
> > the client without being able to access it, or B.) rejoin the PC to the
> > domain so I can apply a Group Policy? Deleting or changing the SID?
> >
> > No user is currently able to log in to the PC, so anything with a registry
> > key, or somehow capturing it with the domain controller?
> >
> > Thanks!
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

You have to logon as the built-in administrator during safe mode, since it
can't be disabled in safe mode. Other accounts are still disabled or
prevented in safe mode.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
> Thanks Christoffer, I had already tried starting up in Safe mode (without
> networking) and still could not log in. Safe mode ran, and I got the
> login
> box with both the domain and the local machine, local accounts gave the
> error
> they couldn't log in interactively.
>
> I can try it in Safe mode With networking, but I wouldnt' think that would
> make a difference with the local accounts.
>
> I somehow have to be able to get into this machine to modify the local
> policy!
>
> Thanks again!
> Aaron
>
> "Chriss3 [MVP]" wrote:
>
>> Start the computer in safe mode and edit the local policy should work.
>>
>> --
>> Regards
>> Christoffer Andersson
>> Microsoft MVP - Directory Services
>>
>> No email replies please - reply in the newsgroup
>> ------------------------------------------------
>> http://www.chrisse.se - Active Directory Tips
>>
>> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
>> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
>> > Using Windows 2000 Server and Windows 2000 Professional client.
>> >
>> > We have a network where the servers are part of a domain but the
>> > clients
>> > PCs
>> > are not. The users use applications through a Citrix server.
>> >
>> > I had a need to map a network drive and the quickest way to do it was
>> > to
>> > join the client PC to the domain. Copied over the files, then deleted
>> > the
>> > computer object through the Users and Computers AD app. After that, I
>> > could
>> > not access the client PC. Attempting to log into the local machine
>> > results
>> > in an error to the effect of 'The local policy of this system does not
>> > allow
>> > you to logon interactively". And, after deleting the object, a user
>> > can
>> > not
>> > log into the domain. The PC is inaccessible.
>> >
>> > It appears that a vendor had set a group policy to disallow local
>> > logins
>> > to
>> > domain members except to specific users (who never had access to this
>> > client).
>> >
>> > Last Known Configuration did not solve the problem.
>> >
>> > So, how can I do one of two things: either A.) alter the local policy
>> > on
>> > the client without being able to access it, or B.) rejoin the PC to the
>> > domain so I can apply a Group Policy? Deleting or changing the SID?
>> >
>> > No user is currently able to log in to the PC, so anything with a
>> > registry
>> > key, or somehow capturing it with the domain controller?
>> >
>> > Thanks!
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I've started up in Safe Mode, Safe Mode with Networking, and Safe Mode with
Command Prompt. Attempted to logon as "Administrator". All three methods
result in the same error - The local policy of this system does not permit
yoiu to logon interactively. Is there a deeper-level Administrator account?

"Chriss3 [MVP]" wrote:

> You have to logon as the built-in administrator during safe mode, since it
> can't be disabled in safe mode. Other accounts are still disabled or
> prevented in safe mode.
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
> news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
> > Thanks Christoffer, I had already tried starting up in Safe mode (without
> > networking) and still could not log in. Safe mode ran, and I got the
> > login
> > box with both the domain and the local machine, local accounts gave the
> > error
> > they couldn't log in interactively.
> >
> > I can try it in Safe mode With networking, but I wouldnt' think that would
> > make a difference with the local accounts.
> >
> > I somehow have to be able to get into this machine to modify the local
> > policy!
> >
> > Thanks again!
> > Aaron
> >
> > "Chriss3 [MVP]" wrote:
> >
> >> Start the computer in safe mode and edit the local policy should work.
> >>
> >> --
> >> Regards
> >> Christoffer Andersson
> >> Microsoft MVP - Directory Services
> >>
> >> No email replies please - reply in the newsgroup
> >> ------------------------------------------------
> >> http://www.chrisse.se - Active Directory Tips
> >>
> >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
> >> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
> >> > Using Windows 2000 Server and Windows 2000 Professional client.
> >> >
> >> > We have a network where the servers are part of a domain but the
> >> > clients
> >> > PCs
> >> > are not. The users use applications through a Citrix server.
> >> >
> >> > I had a need to map a network drive and the quickest way to do it was
> >> > to
> >> > join the client PC to the domain. Copied over the files, then deleted
> >> > the
> >> > computer object through the Users and Computers AD app. After that, I
> >> > could
> >> > not access the client PC. Attempting to log into the local machine
> >> > results
> >> > in an error to the effect of 'The local policy of this system does not
> >> > allow
> >> > you to logon interactively". And, after deleting the object, a user
> >> > can
> >> > not
> >> > log into the domain. The PC is inaccessible.
> >> >
> >> > It appears that a vendor had set a group policy to disallow local
> >> > logins
> >> > to
> >> > domain members except to specific users (who never had access to this
> >> > client).
> >> >
> >> > Last Known Configuration did not solve the problem.
> >> >
> >> > So, how can I do one of two things: either A.) alter the local policy
> >> > on
> >> > the client without being able to access it, or B.) rejoin the PC to the
> >> > domain so I can apply a Group Policy? Deleting or changing the SID?
> >> >
> >> > No user is currently able to log in to the PC, so anything with a
> >> > registry
> >> > key, or somehow capturing it with the domain controller?
> >> >
> >> > Thanks!
> >>
> >>
> >>
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Are you sure you logging in locally? if so I have never seen a such issue
before.
If the workstation is critical, you may running a repair of Windows.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
news:C1F30BEE-60F8-4562-A8E6-D2FB65E51876@microsoft.com...
> I've started up in Safe Mode, Safe Mode with Networking, and Safe Mode
> with
> Command Prompt. Attempted to logon as "Administrator". All three methods
> result in the same error - The local policy of this system does not permit
> yoiu to logon interactively. Is there a deeper-level Administrator
> account?
>
> "Chriss3 [MVP]" wrote:
>
>> You have to logon as the built-in administrator during safe mode, since
>> it
>> can't be disabled in safe mode. Other accounts are still disabled or
>> prevented in safe mode.
>>
>> --
>> Regards
>> Christoffer Andersson
>> Microsoft MVP - Directory Services
>>
>> No email replies please - reply in the newsgroup
>> ------------------------------------------------
>> http://www.chrisse.se - Active Directory Tips
>>
>> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
>> news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
>> > Thanks Christoffer, I had already tried starting up in Safe mode
>> > (without
>> > networking) and still could not log in. Safe mode ran, and I got the
>> > login
>> > box with both the domain and the local machine, local accounts gave the
>> > error
>> > they couldn't log in interactively.
>> >
>> > I can try it in Safe mode With networking, but I wouldnt' think that
>> > would
>> > make a difference with the local accounts.
>> >
>> > I somehow have to be able to get into this machine to modify the local
>> > policy!
>> >
>> > Thanks again!
>> > Aaron
>> >
>> > "Chriss3 [MVP]" wrote:
>> >
>> >> Start the computer in safe mode and edit the local policy should work.
>> >>
>> >> --
>> >> Regards
>> >> Christoffer Andersson
>> >> Microsoft MVP - Directory Services
>> >>
>> >> No email replies please - reply in the newsgroup
>> >> ------------------------------------------------
>> >> http://www.chrisse.se - Active Directory Tips
>> >>
>> >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
>> >> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
>> >> > Using Windows 2000 Server and Windows 2000 Professional client.
>> >> >
>> >> > We have a network where the servers are part of a domain but the
>> >> > clients
>> >> > PCs
>> >> > are not. The users use applications through a Citrix server.
>> >> >
>> >> > I had a need to map a network drive and the quickest way to do it
>> >> > was
>> >> > to
>> >> > join the client PC to the domain. Copied over the files, then
>> >> > deleted
>> >> > the
>> >> > computer object through the Users and Computers AD app. After that,
>> >> > I
>> >> > could
>> >> > not access the client PC. Attempting to log into the local machine
>> >> > results
>> >> > in an error to the effect of 'The local policy of this system does
>> >> > not
>> >> > allow
>> >> > you to logon interactively". And, after deleting the object, a user
>> >> > can
>> >> > not
>> >> > log into the domain. The PC is inaccessible.
>> >> >
>> >> > It appears that a vendor had set a group policy to disallow local
>> >> > logins
>> >> > to
>> >> > domain members except to specific users (who never had access to
>> >> > this
>> >> > client).
>> >> >
>> >> > Last Known Configuration did not solve the problem.
>> >> >
>> >> > So, how can I do one of two things: either A.) alter the local
>> >> > policy
>> >> > on
>> >> > the client without being able to access it, or B.) rejoin the PC to
>> >> > the
>> >> > domain so I can apply a Group Policy? Deleting or changing the SID?
>> >> >
>> >> > No user is currently able to log in to the PC, so anything with a
>> >> > registry
>> >> > key, or somehow capturing it with the domain controller?
>> >> >
>> >> > Thanks!
>> >>
>> >>
>> >>
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

We were trying to log in locally.

We ended up replacing the security hive in the Windows directory with the
one from the Repair directory. Problem solved.

"Chriss3 [MVP]" wrote:

> Are you sure you logging in locally? if so I have never seen a such issue
> before.
> If the workstation is critical, you may running a repair of Windows.
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
> news:C1F30BEE-60F8-4562-A8E6-D2FB65E51876@microsoft.com...
> > I've started up in Safe Mode, Safe Mode with Networking, and Safe Mode
> > with
> > Command Prompt. Attempted to logon as "Administrator". All three methods
> > result in the same error - The local policy of this system does not permit
> > yoiu to logon interactively. Is there a deeper-level Administrator
> > account?
> >
> > "Chriss3 [MVP]" wrote:
> >
> >> You have to logon as the built-in administrator during safe mode, since
> >> it
> >> can't be disabled in safe mode. Other accounts are still disabled or
> >> prevented in safe mode.
> >>
> >> --
> >> Regards
> >> Christoffer Andersson
> >> Microsoft MVP - Directory Services
> >>
> >> No email replies please - reply in the newsgroup
> >> ------------------------------------------------
> >> http://www.chrisse.se - Active Directory Tips
> >>
> >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
> >> news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
> >> > Thanks Christoffer, I had already tried starting up in Safe mode
> >> > (without
> >> > networking) and still could not log in. Safe mode ran, and I got the
> >> > login
> >> > box with both the domain and the local machine, local accounts gave the
> >> > error
> >> > they couldn't log in interactively.
> >> >
> >> > I can try it in Safe mode With networking, but I wouldnt' think that
> >> > would
> >> > make a difference with the local accounts.
> >> >
> >> > I somehow have to be able to get into this machine to modify the local
> >> > policy!
> >> >
> >> > Thanks again!
> >> > Aaron
> >> >
> >> > "Chriss3 [MVP]" wrote:
> >> >
> >> >> Start the computer in safe mode and edit the local policy should work.
> >> >>
> >> >> --
> >> >> Regards
> >> >> Christoffer Andersson
> >> >> Microsoft MVP - Directory Services
> >> >>
> >> >> No email replies please - reply in the newsgroup
> >> >> ------------------------------------------------
> >> >> http://www.chrisse.se - Active Directory Tips
> >> >>
> >> >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
> >> >> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
> >> >> > Using Windows 2000 Server and Windows 2000 Professional client.
> >> >> >
> >> >> > We have a network where the servers are part of a domain but the
> >> >> > clients
> >> >> > PCs
> >> >> > are not. The users use applications through a Citrix server.
> >> >> >
> >> >> > I had a need to map a network drive and the quickest way to do it
> >> >> > was
> >> >> > to
> >> >> > join the client PC to the domain. Copied over the files, then
> >> >> > deleted
> >> >> > the
> >> >> > computer object through the Users and Computers AD app. After that,
> >> >> > I
> >> >> > could
> >> >> > not access the client PC. Attempting to log into the local machine
> >> >> > results
> >> >> > in an error to the effect of 'The local policy of this system does
> >> >> > not
> >> >> > allow
> >> >> > you to logon interactively". And, after deleting the object, a user
> >> >> > can
> >> >> > not
> >> >> > log into the domain. The PC is inaccessible.
> >> >> >
> >> >> > It appears that a vendor had set a group policy to disallow local
> >> >> > logins
> >> >> > to
> >> >> > domain members except to specific users (who never had access to
> >> >> > this
> >> >> > client).
> >> >> >
> >> >> > Last Known Configuration did not solve the problem.
> >> >> >
> >> >> > So, how can I do one of two things: either A.) alter the local
> >> >> > policy
> >> >> > on
> >> >> > the client without being able to access it, or B.) rejoin the PC to
> >> >> > the
> >> >> > domain so I can apply a Group Policy? Deleting or changing the SID?
> >> >> >
> >> >> > No user is currently able to log in to the PC, so anything with a
> >> >> > registry
> >> >> > key, or somehow capturing it with the domain controller?
> >> >> >
> >> >> > Thanks!
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>