Win2K client: unable to login locally, deleted from domain

G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Using Windows 2000 Server and Windows 2000 Professional client.

We have a network where the servers are part of a domain but the clients PCs
are not. The users use applications through a Citrix server.

I had a need to map a network drive and the quickest way to do it was to
join the client PC to the domain. Copied over the files, then deleted the
computer object through the Users and Computers AD app. After that, I could
not access the client PC. Attempting to log into the local machine results
in an error to the effect of 'The local policy of this system does not allow
you to logon interactively". And, after deleting the object, a user can not
log into the domain. The PC is inaccessible.

It appears that a vendor had set a group policy to disallow local logins to
domain members except to specific users (who never had access to this client).

Last Known Configuration did not solve the problem.

So, how can I do one of two things: either A.) alter the local policy on
the client without being able to access it, or B.) rejoin the PC to the
domain so I can apply a Group Policy? Deleting or changing the SID?

No user is currently able to log in to the PC, so anything with a registry
key, or somehow capturing it with the domain controller?

Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

use a password reset tool ... reset the local Admin account .. logon as
Admin and disjoin the computer from the domain.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/
"smosh" <smosh@discussions.microsoft.com> wrote in message
news:8C1CF93D-8179-4677-B4C7-BD2343DA2509@microsoft.com...
> Using Windows 2000 Server and Windows 2000 Professional client.
>
> We have a network where the servers are part of a domain but the clients
> PCs
> are not. The users use applications through a Citrix server.
>
> I had a need to map a network drive and the quickest way to do it was to
> join the client PC to the domain. Copied over the files, then deleted the
> computer object through the Users and Computers AD app. After that, I
> could
> not access the client PC. Attempting to log into the local machine
> results
> in an error to the effect of 'The local policy of this system does not
> allow
> you to logon interactively". And, after deleting the object, a user can
> not
> log into the domain. The PC is inaccessible.
>
> It appears that a vendor had set a group policy to disallow local logins
> to
> domain members except to specific users (who never had access to this
> client).
>
> Last Known Configuration did not solve the problem.
>
> So, how can I do one of two things: either A.) alter the local policy on
> the client without being able to access it, or B.) rejoin the PC to the
> domain so I can apply a Group Policy? Deleting or changing the SID?
>
> No user is currently able to log in to the PC, so anything with a registry
> key, or somehow capturing it with the domain controller?
>
> Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Andrei - I had tried that already. The local users are unable to
login interactively whether I know the password or not. If I use the wrong
password I get the usual user unknown error, if I use the right password I
can't logon interactively.

The local Administrator account can't even logon to its own client.

Is there a local policy key in the registry I can edit using a registry
tool? Or find and alter the SID to allow it to join the domain again?

Thanks!
Aaron

"Andrei Ungureanu" wrote:

> use a password reset tool ... reset the local Admin account .. logon as
> Admin and disjoin the computer from the domain.
>
>
> --
> Andrei Ungureanu
> www.eventid.net
> Free Windows event logs reports
> http://www.altairtech.ca/evlog/
> "smosh" <smosh@discussions.microsoft.com> wrote in message
> news:8C1CF93D-8179-4677-B4C7-BD2343DA2509@microsoft.com...
> > Using Windows 2000 Server and Windows 2000 Professional client.
> >
> > We have a network where the servers are part of a domain but the clients
> > PCs
> > are not. The users use applications through a Citrix server.
> >
> > I had a need to map a network drive and the quickest way to do it was to
> > join the client PC to the domain. Copied over the files, then deleted the
> > computer object through the Users and Computers AD app. After that, I
> > could
> > not access the client PC. Attempting to log into the local machine
> > results
> > in an error to the effect of 'The local policy of this system does not
> > allow
> > you to logon interactively". And, after deleting the object, a user can
> > not
> > log into the domain. The PC is inaccessible.
> >
> > It appears that a vendor had set a group policy to disallow local logins
> > to
> > domain members except to specific users (who never had access to this
> > client).
> >
> > Last Known Configuration did not solve the problem.
> >
> > So, how can I do one of two things: either A.) alter the local policy on
> > the client without being able to access it, or B.) rejoin the PC to the
> > domain so I can apply a Group Policy? Deleting or changing the SID?
> >
> > No user is currently able to log in to the PC, so anything with a registry
> > key, or somehow capturing it with the domain controller?
> >
> > Thanks!
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

boot from a cd (Windows PE, Bart PE) and rename
%systemroot%\security\database\seceedit.sdb to some other name and copy a
working version of this file from a Win2000 Pro system that do not have the
Deny Logon Locally setting applied.

I'm still not sure if it will work..


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/
"smosh" <smosh@discussions.microsoft.com> wrote in message
news:2AA553B6-7FD6-452D-8430-175A1EA213AE@microsoft.com...
> Thanks Andrei - I had tried that already. The local users are unable to
> login interactively whether I know the password or not. If I use the
> wrong
> password I get the usual user unknown error, if I use the right password I
> can't logon interactively.
>
> The local Administrator account can't even logon to its own client.
>
> Is there a local policy key in the registry I can edit using a registry
> tool? Or find and alter the SID to allow it to join the domain again?
>
> Thanks!
> Aaron
>
> "Andrei Ungureanu" wrote:
>
>> use a password reset tool ... reset the local Admin account .. logon as
>> Admin and disjoin the computer from the domain.
>>
>>
>> --
>> Andrei Ungureanu
>> www.eventid.net
>> Free Windows event logs reports
>> http://www.altairtech.ca/evlog/
>> "smosh" <smosh@discussions.microsoft.com> wrote in message
>> news:8C1CF93D-8179-4677-B4C7-BD2343DA2509@microsoft.com...
>> > Using Windows 2000 Server and Windows 2000 Professional client.
>> >
>> > We have a network where the servers are part of a domain but the
>> > clients
>> > PCs
>> > are not. The users use applications through a Citrix server.
>> >
>> > I had a need to map a network drive and the quickest way to do it was
>> > to
>> > join the client PC to the domain. Copied over the files, then deleted
>> > the
>> > computer object through the Users and Computers AD app. After that, I
>> > could
>> > not access the client PC. Attempting to log into the local machine
>> > results
>> > in an error to the effect of 'The local policy of this system does not
>> > allow
>> > you to logon interactively". And, after deleting the object, a user
>> > can
>> > not
>> > log into the domain. The PC is inaccessible.
>> >
>> > It appears that a vendor had set a group policy to disallow local
>> > logins
>> > to
>> > domain members except to specific users (who never had access to this
>> > client).
>> >
>> > Last Known Configuration did not solve the problem.
>> >
>> > So, how can I do one of two things: either A.) alter the local policy
>> > on
>> > the client without being able to access it, or B.) rejoin the PC to the
>> > domain so I can apply a Group Policy? Deleting or changing the SID?
>> >
>> > No user is currently able to log in to the PC, so anything with a
>> > registry
>> > key, or somehow capturing it with the domain controller?
>> >
>> > Thanks!
>>
>>
>>