Unable to log into Win2K, local users prohibited, deleted ..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Using Windows 2000 Server and Windows 2000 Professional client.

We have a network where the servers are part of a domain but the clients PCs
are not. The users use applications through a Citrix server.

I had a need to map a network drive and the quickest way to do it was to
join the client PC to the domain. Copied over the files, then deleted the
computer object through the Users and Computers AD app. After that, I could
not access the client PC. Attempting to log into the local machine results
in an error to the effect of 'The local policy of this system does not allow
you to logon interactively". And, after deleting the object, a user can not
log into the domain. The PC is inaccessible.

It appears that a vendor had set a group policy to disallow local logins to
domain members except to specific users (who never had access to this client).

Last Known Configuration did not solve the problem.

So, how can I do one of two things: either A.) alter the local policy on
the client without being able to access it, or B.) rejoin the PC to the
domain so I can apply a Group Policy? Deleting or changing the SID?

No user is currently able to log in to the PC, so anything with a registry
key, or somehow capturing it with the domain controller?

Thanks!
6 answers Last reply
More about unable win2k local users prohibited deleted
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Start the computer in safe mode and edit the local policy should work.

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
    > Using Windows 2000 Server and Windows 2000 Professional client.
    >
    > We have a network where the servers are part of a domain but the clients
    > PCs
    > are not. The users use applications through a Citrix server.
    >
    > I had a need to map a network drive and the quickest way to do it was to
    > join the client PC to the domain. Copied over the files, then deleted the
    > computer object through the Users and Computers AD app. After that, I
    > could
    > not access the client PC. Attempting to log into the local machine
    > results
    > in an error to the effect of 'The local policy of this system does not
    > allow
    > you to logon interactively". And, after deleting the object, a user can
    > not
    > log into the domain. The PC is inaccessible.
    >
    > It appears that a vendor had set a group policy to disallow local logins
    > to
    > domain members except to specific users (who never had access to this
    > client).
    >
    > Last Known Configuration did not solve the problem.
    >
    > So, how can I do one of two things: either A.) alter the local policy on
    > the client without being able to access it, or B.) rejoin the PC to the
    > domain so I can apply a Group Policy? Deleting or changing the SID?
    >
    > No user is currently able to log in to the PC, so anything with a registry
    > key, or somehow capturing it with the domain controller?
    >
    > Thanks!
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks Christoffer, I had already tried starting up in Safe mode (without
    networking) and still could not log in. Safe mode ran, and I got the login
    box with both the domain and the local machine, local accounts gave the error
    they couldn't log in interactively.

    I can try it in Safe mode With networking, but I wouldnt' think that would
    make a difference with the local accounts.

    I somehow have to be able to get into this machine to modify the local policy!

    Thanks again!
    Aaron

    "Chriss3 [MVP]" wrote:

    > Start the computer in safe mode and edit the local policy should work.
    >
    > --
    > Regards
    > Christoffer Andersson
    > Microsoft MVP - Directory Services
    >
    > No email replies please - reply in the newsgroup
    > ------------------------------------------------
    > http://www.chrisse.se - Active Directory Tips
    >
    > "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    > news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
    > > Using Windows 2000 Server and Windows 2000 Professional client.
    > >
    > > We have a network where the servers are part of a domain but the clients
    > > PCs
    > > are not. The users use applications through a Citrix server.
    > >
    > > I had a need to map a network drive and the quickest way to do it was to
    > > join the client PC to the domain. Copied over the files, then deleted the
    > > computer object through the Users and Computers AD app. After that, I
    > > could
    > > not access the client PC. Attempting to log into the local machine
    > > results
    > > in an error to the effect of 'The local policy of this system does not
    > > allow
    > > you to logon interactively". And, after deleting the object, a user can
    > > not
    > > log into the domain. The PC is inaccessible.
    > >
    > > It appears that a vendor had set a group policy to disallow local logins
    > > to
    > > domain members except to specific users (who never had access to this
    > > client).
    > >
    > > Last Known Configuration did not solve the problem.
    > >
    > > So, how can I do one of two things: either A.) alter the local policy on
    > > the client without being able to access it, or B.) rejoin the PC to the
    > > domain so I can apply a Group Policy? Deleting or changing the SID?
    > >
    > > No user is currently able to log in to the PC, so anything with a registry
    > > key, or somehow capturing it with the domain controller?
    > >
    > > Thanks!
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You have to logon as the built-in administrator during safe mode, since it
    can't be disabled in safe mode. Other accounts are still disabled or
    prevented in safe mode.

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
    > Thanks Christoffer, I had already tried starting up in Safe mode (without
    > networking) and still could not log in. Safe mode ran, and I got the
    > login
    > box with both the domain and the local machine, local accounts gave the
    > error
    > they couldn't log in interactively.
    >
    > I can try it in Safe mode With networking, but I wouldnt' think that would
    > make a difference with the local accounts.
    >
    > I somehow have to be able to get into this machine to modify the local
    > policy!
    >
    > Thanks again!
    > Aaron
    >
    > "Chriss3 [MVP]" wrote:
    >
    >> Start the computer in safe mode and edit the local policy should work.
    >>
    >> --
    >> Regards
    >> Christoffer Andersson
    >> Microsoft MVP - Directory Services
    >>
    >> No email replies please - reply in the newsgroup
    >> ------------------------------------------------
    >> http://www.chrisse.se - Active Directory Tips
    >>
    >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    >> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
    >> > Using Windows 2000 Server and Windows 2000 Professional client.
    >> >
    >> > We have a network where the servers are part of a domain but the
    >> > clients
    >> > PCs
    >> > are not. The users use applications through a Citrix server.
    >> >
    >> > I had a need to map a network drive and the quickest way to do it was
    >> > to
    >> > join the client PC to the domain. Copied over the files, then deleted
    >> > the
    >> > computer object through the Users and Computers AD app. After that, I
    >> > could
    >> > not access the client PC. Attempting to log into the local machine
    >> > results
    >> > in an error to the effect of 'The local policy of this system does not
    >> > allow
    >> > you to logon interactively". And, after deleting the object, a user
    >> > can
    >> > not
    >> > log into the domain. The PC is inaccessible.
    >> >
    >> > It appears that a vendor had set a group policy to disallow local
    >> > logins
    >> > to
    >> > domain members except to specific users (who never had access to this
    >> > client).
    >> >
    >> > Last Known Configuration did not solve the problem.
    >> >
    >> > So, how can I do one of two things: either A.) alter the local policy
    >> > on
    >> > the client without being able to access it, or B.) rejoin the PC to the
    >> > domain so I can apply a Group Policy? Deleting or changing the SID?
    >> >
    >> > No user is currently able to log in to the PC, so anything with a
    >> > registry
    >> > key, or somehow capturing it with the domain controller?
    >> >
    >> > Thanks!
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I've started up in Safe Mode, Safe Mode with Networking, and Safe Mode with
    Command Prompt. Attempted to logon as "Administrator". All three methods
    result in the same error - The local policy of this system does not permit
    yoiu to logon interactively. Is there a deeper-level Administrator account?

    "Chriss3 [MVP]" wrote:

    > You have to logon as the built-in administrator during safe mode, since it
    > can't be disabled in safe mode. Other accounts are still disabled or
    > prevented in safe mode.
    >
    > --
    > Regards
    > Christoffer Andersson
    > Microsoft MVP - Directory Services
    >
    > No email replies please - reply in the newsgroup
    > ------------------------------------------------
    > http://www.chrisse.se - Active Directory Tips
    >
    > "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    > news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
    > > Thanks Christoffer, I had already tried starting up in Safe mode (without
    > > networking) and still could not log in. Safe mode ran, and I got the
    > > login
    > > box with both the domain and the local machine, local accounts gave the
    > > error
    > > they couldn't log in interactively.
    > >
    > > I can try it in Safe mode With networking, but I wouldnt' think that would
    > > make a difference with the local accounts.
    > >
    > > I somehow have to be able to get into this machine to modify the local
    > > policy!
    > >
    > > Thanks again!
    > > Aaron
    > >
    > > "Chriss3 [MVP]" wrote:
    > >
    > >> Start the computer in safe mode and edit the local policy should work.
    > >>
    > >> --
    > >> Regards
    > >> Christoffer Andersson
    > >> Microsoft MVP - Directory Services
    > >>
    > >> No email replies please - reply in the newsgroup
    > >> ------------------------------------------------
    > >> http://www.chrisse.se - Active Directory Tips
    > >>
    > >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    > >> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
    > >> > Using Windows 2000 Server and Windows 2000 Professional client.
    > >> >
    > >> > We have a network where the servers are part of a domain but the
    > >> > clients
    > >> > PCs
    > >> > are not. The users use applications through a Citrix server.
    > >> >
    > >> > I had a need to map a network drive and the quickest way to do it was
    > >> > to
    > >> > join the client PC to the domain. Copied over the files, then deleted
    > >> > the
    > >> > computer object through the Users and Computers AD app. After that, I
    > >> > could
    > >> > not access the client PC. Attempting to log into the local machine
    > >> > results
    > >> > in an error to the effect of 'The local policy of this system does not
    > >> > allow
    > >> > you to logon interactively". And, after deleting the object, a user
    > >> > can
    > >> > not
    > >> > log into the domain. The PC is inaccessible.
    > >> >
    > >> > It appears that a vendor had set a group policy to disallow local
    > >> > logins
    > >> > to
    > >> > domain members except to specific users (who never had access to this
    > >> > client).
    > >> >
    > >> > Last Known Configuration did not solve the problem.
    > >> >
    > >> > So, how can I do one of two things: either A.) alter the local policy
    > >> > on
    > >> > the client without being able to access it, or B.) rejoin the PC to the
    > >> > domain so I can apply a Group Policy? Deleting or changing the SID?
    > >> >
    > >> > No user is currently able to log in to the PC, so anything with a
    > >> > registry
    > >> > key, or somehow capturing it with the domain controller?
    > >> >
    > >> > Thanks!
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Are you sure you logging in locally? if so I have never seen a such issue
    before.
    If the workstation is critical, you may running a repair of Windows.

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    news:C1F30BEE-60F8-4562-A8E6-D2FB65E51876@microsoft.com...
    > I've started up in Safe Mode, Safe Mode with Networking, and Safe Mode
    > with
    > Command Prompt. Attempted to logon as "Administrator". All three methods
    > result in the same error - The local policy of this system does not permit
    > yoiu to logon interactively. Is there a deeper-level Administrator
    > account?
    >
    > "Chriss3 [MVP]" wrote:
    >
    >> You have to logon as the built-in administrator during safe mode, since
    >> it
    >> can't be disabled in safe mode. Other accounts are still disabled or
    >> prevented in safe mode.
    >>
    >> --
    >> Regards
    >> Christoffer Andersson
    >> Microsoft MVP - Directory Services
    >>
    >> No email replies please - reply in the newsgroup
    >> ------------------------------------------------
    >> http://www.chrisse.se - Active Directory Tips
    >>
    >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    >> news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
    >> > Thanks Christoffer, I had already tried starting up in Safe mode
    >> > (without
    >> > networking) and still could not log in. Safe mode ran, and I got the
    >> > login
    >> > box with both the domain and the local machine, local accounts gave the
    >> > error
    >> > they couldn't log in interactively.
    >> >
    >> > I can try it in Safe mode With networking, but I wouldnt' think that
    >> > would
    >> > make a difference with the local accounts.
    >> >
    >> > I somehow have to be able to get into this machine to modify the local
    >> > policy!
    >> >
    >> > Thanks again!
    >> > Aaron
    >> >
    >> > "Chriss3 [MVP]" wrote:
    >> >
    >> >> Start the computer in safe mode and edit the local policy should work.
    >> >>
    >> >> --
    >> >> Regards
    >> >> Christoffer Andersson
    >> >> Microsoft MVP - Directory Services
    >> >>
    >> >> No email replies please - reply in the newsgroup
    >> >> ------------------------------------------------
    >> >> http://www.chrisse.se - Active Directory Tips
    >> >>
    >> >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    >> >> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
    >> >> > Using Windows 2000 Server and Windows 2000 Professional client.
    >> >> >
    >> >> > We have a network where the servers are part of a domain but the
    >> >> > clients
    >> >> > PCs
    >> >> > are not. The users use applications through a Citrix server.
    >> >> >
    >> >> > I had a need to map a network drive and the quickest way to do it
    >> >> > was
    >> >> > to
    >> >> > join the client PC to the domain. Copied over the files, then
    >> >> > deleted
    >> >> > the
    >> >> > computer object through the Users and Computers AD app. After that,
    >> >> > I
    >> >> > could
    >> >> > not access the client PC. Attempting to log into the local machine
    >> >> > results
    >> >> > in an error to the effect of 'The local policy of this system does
    >> >> > not
    >> >> > allow
    >> >> > you to logon interactively". And, after deleting the object, a user
    >> >> > can
    >> >> > not
    >> >> > log into the domain. The PC is inaccessible.
    >> >> >
    >> >> > It appears that a vendor had set a group policy to disallow local
    >> >> > logins
    >> >> > to
    >> >> > domain members except to specific users (who never had access to
    >> >> > this
    >> >> > client).
    >> >> >
    >> >> > Last Known Configuration did not solve the problem.
    >> >> >
    >> >> > So, how can I do one of two things: either A.) alter the local
    >> >> > policy
    >> >> > on
    >> >> > the client without being able to access it, or B.) rejoin the PC to
    >> >> > the
    >> >> > domain so I can apply a Group Policy? Deleting or changing the SID?
    >> >> >
    >> >> > No user is currently able to log in to the PC, so anything with a
    >> >> > registry
    >> >> > key, or somehow capturing it with the domain controller?
    >> >> >
    >> >> > Thanks!
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    We were trying to log in locally.

    We ended up replacing the security hive in the Windows directory with the
    one from the Repair directory. Problem solved.

    "Chriss3 [MVP]" wrote:

    > Are you sure you logging in locally? if so I have never seen a such issue
    > before.
    > If the workstation is critical, you may running a repair of Windows.
    >
    > --
    > Regards
    > Christoffer Andersson
    > Microsoft MVP - Directory Services
    >
    > No email replies please - reply in the newsgroup
    > ------------------------------------------------
    > http://www.chrisse.se - Active Directory Tips
    >
    > "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    > news:C1F30BEE-60F8-4562-A8E6-D2FB65E51876@microsoft.com...
    > > I've started up in Safe Mode, Safe Mode with Networking, and Safe Mode
    > > with
    > > Command Prompt. Attempted to logon as "Administrator". All three methods
    > > result in the same error - The local policy of this system does not permit
    > > yoiu to logon interactively. Is there a deeper-level Administrator
    > > account?
    > >
    > > "Chriss3 [MVP]" wrote:
    > >
    > >> You have to logon as the built-in administrator during safe mode, since
    > >> it
    > >> can't be disabled in safe mode. Other accounts are still disabled or
    > >> prevented in safe mode.
    > >>
    > >> --
    > >> Regards
    > >> Christoffer Andersson
    > >> Microsoft MVP - Directory Services
    > >>
    > >> No email replies please - reply in the newsgroup
    > >> ------------------------------------------------
    > >> http://www.chrisse.se - Active Directory Tips
    > >>
    > >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    > >> news:51DB2ED6-4F59-4A86-A947-FCDBD9E5AD9B@microsoft.com...
    > >> > Thanks Christoffer, I had already tried starting up in Safe mode
    > >> > (without
    > >> > networking) and still could not log in. Safe mode ran, and I got the
    > >> > login
    > >> > box with both the domain and the local machine, local accounts gave the
    > >> > error
    > >> > they couldn't log in interactively.
    > >> >
    > >> > I can try it in Safe mode With networking, but I wouldnt' think that
    > >> > would
    > >> > make a difference with the local accounts.
    > >> >
    > >> > I somehow have to be able to get into this machine to modify the local
    > >> > policy!
    > >> >
    > >> > Thanks again!
    > >> > Aaron
    > >> >
    > >> > "Chriss3 [MVP]" wrote:
    > >> >
    > >> >> Start the computer in safe mode and edit the local policy should work.
    > >> >>
    > >> >> --
    > >> >> Regards
    > >> >> Christoffer Andersson
    > >> >> Microsoft MVP - Directory Services
    > >> >>
    > >> >> No email replies please - reply in the newsgroup
    > >> >> ------------------------------------------------
    > >> >> http://www.chrisse.se - Active Directory Tips
    > >> >>
    > >> >> "smosh" <smosh@discussions.microsoft.com> skrev i meddelandet
    > >> >> news:843DF408-0700-41D5-B1D5-5708FB17DB76@microsoft.com...
    > >> >> > Using Windows 2000 Server and Windows 2000 Professional client.
    > >> >> >
    > >> >> > We have a network where the servers are part of a domain but the
    > >> >> > clients
    > >> >> > PCs
    > >> >> > are not. The users use applications through a Citrix server.
    > >> >> >
    > >> >> > I had a need to map a network drive and the quickest way to do it
    > >> >> > was
    > >> >> > to
    > >> >> > join the client PC to the domain. Copied over the files, then
    > >> >> > deleted
    > >> >> > the
    > >> >> > computer object through the Users and Computers AD app. After that,
    > >> >> > I
    > >> >> > could
    > >> >> > not access the client PC. Attempting to log into the local machine
    > >> >> > results
    > >> >> > in an error to the effect of 'The local policy of this system does
    > >> >> > not
    > >> >> > allow
    > >> >> > you to logon interactively". And, after deleting the object, a user
    > >> >> > can
    > >> >> > not
    > >> >> > log into the domain. The PC is inaccessible.
    > >> >> >
    > >> >> > It appears that a vendor had set a group policy to disallow local
    > >> >> > logins
    > >> >> > to
    > >> >> > domain members except to specific users (who never had access to
    > >> >> > this
    > >> >> > client).
    > >> >> >
    > >> >> > Last Known Configuration did not solve the problem.
    > >> >> >
    > >> >> > So, how can I do one of two things: either A.) alter the local
    > >> >> > policy
    > >> >> > on
    > >> >> > the client without being able to access it, or B.) rejoin the PC to
    > >> >> > the
    > >> >> > domain so I can apply a Group Policy? Deleting or changing the SID?
    > >> >> >
    > >> >> > No user is currently able to log in to the PC, so anything with a
    > >> >> > registry
    > >> >> > key, or somehow capturing it with the domain controller?
    > >> >> >
    > >> >> > Thanks!
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>
    >
    >
    >
Ask a new question

Read More

Windows