Archived from groups: microsoft.public.win2000.group_policy (
More info?)
A new problem has arisen, I believe because I ran that
little app from the command prompt, I cannot start my
exchange system manager now. I get the following
error: "Facility Win32, I.D. No. 8007203b Exchange System
Manager" I looked it up on the MS KB and it said to restrt
the Kerberos service in the services. I did, and it didn't
help. I think I wiped out some sort of authentication for
the exchange services by runing it. Is there some way to
revert, or undo, what I did?
Dave
>-----Original Message-----
>Great glad your back in to the server.
>
>Sorry did slip with the extra s on Administrator my fault.
>Rgds
>Steve
>
>
>
>
>"Dave W" <anonymous@discussions.microsoft.com> wrote in
message
>news:1b3001c4a664$05b70f40$a601280a@phx.gbl...
>> Good News! For whatever reason I was just able to log on
>> to that server. Through the network I was able to change
>> the administrator's p/w from ******* to blank, but that
>> was like hours ago and it wouldn't let me in all morning
>> (after trying as many things as I did, I won't be able
to
>> determine for certain what the problem was)I'll betcha
>> that I'll be able to connect from home tonight through
>> term/serv's too. Just want to thank everyone that tried
to
>> help.
>>
>> Dave
>> >-----Original Message-----
>> >Still can't logon to that machine. I ran the
>> >SeInteractiveLogonRight app again and got an error msg
>> >this time. In your post you spelled out the command
>> >as "SeinteractiveLogonRight DomainName\Administrators
>> >ServerName". Is "administrators" literal, including the
>> >pluralization? Anyways, I do have the Administrative
>> Tools
>> >on my Program Menu (on my server#2) so I am able to
>> access
>> >the controls for the domain Contrioller (server#1). I
>> have
>> >checked the GPO for the DC group and it is exactly as
>> I've
>> >been told to set it(enable but don't specify for
>> the "deny
>> >logon" and the "logon locally" has the administrator
(as
>> >well as quite a few others in it). At the moment it's
not
>> >a crisis, but I can see that happening at some point.
Our
>> >Exchange server is on that server. I can access various
>> >file and folders through the Network Neighborhood as
>> well.
>> >That includes the "sysvol" share and others. II have
even
>> >tried disabling all of the policies .
>> >>-----Original Message-----
>> >>Dave
>> >>Other Steve here
>> >>how are you doing on this at present ? have you
managed
>> >to get to the policy
>> >>yet?
>> >>
>> >>Your correct on the operation of the tool open the cmd
>> >prompt on the
>> >>directory it resides and run it
>> >>
>> >>so to grant the Administrator Group the local logon
>> right
>> >just type
>> >>SeinteractiveLogonRight DomainName\Administrators
>> >ServerName
>> >>this would clear the local settings in the local
>> security
>> >policy on the
>> >>server
>> >>
>> >>If you have changed the default domain controllers
policy
>> >>then as Steve L states use the adminpak on another
>> >machine to change that
>> >>policy as well.
>> >>
>> >>rgds
>> >>Steve
>> >>
>> >>
>> >>"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>
>> >wrote in message
>> >>news:Spn6d.274636$mD.74234@attbi_s02...
>> >>> Install Adminpak on one of your Windows 2000 domain
>> >computers that you can
>> >>> logon to as a domain administrator and use it to
>> modify
>> >the problem policy
>> >>> from that computer. My guess is that the change was
>> >made in Domain
>> >>> Controller Security Policy under security
>> >settings/local policies/user
>> >>> rights. Look at the two user rights for logon
locally
>> >and deny logon
>> >>> locally. By default administrators is in the logon
>> >locally for domain
>> >>> controllers and the deny logon locally is defined
but
>> >empty. If there is
>> >>> more than one GPO in the domain controller container
>> >you will need to
>> >>check
>> >>> them all for those user rights. Adminpak is on the
>> >server install disk in
>> >>> the I386 folder. --- Steve
>> >>>
>> >>> http://support.microsoft.com/default.aspx?
scid=kb;en-
>> >us;216999
>> >>>
>> >>> "Dave W" <anonymous@discussions.microsoft.com> wrote
>> in
>> >message
>> >>> news:050b01c4a5b7$ed991f90$a401280a@phx.gbl...
>> >>> > Whew! Where to begin. The machine in question is
the
>> >lone
>> >>> > DC in a single AD domain. I do have another server
>> >that I
>> >>> > work on that is beiing replicated to though(I
>> think).
>> >All
>> >>> > the other machines can be logged into. I have
tried
>> >>> > several other accounts on the DC and none of them
>> >will log
>> >>> > in. I first noticed the problem over the past
>> weekend
>> >when
>> >>> > I tried to connect from home via term. serv's. The
>> >>> > same "interactive logging" message. I believe the
>> GPO
>> >that
>> >>> > I screwed with was the one for the DC's as the one
>> >for the
>> >>> > domain is and has been disabled for some time. I
>> have
>> >been
>> >>> > able to connect to the AD users & computers
through
>> >my PC
>> >>> > (server #2)and the log on locally has all the
users
>> >and
>> >>> > groups that I believe are necessary. The program
that
>> >>> > precipitated this with the GPO was a mail/spam app
>> >that
>> >>> > wouldn't start it's engine so I thought that the
log
>> >on
>> >>> > parameters were the place to go. I have since
>> >uninstalled
>> >>> > the app, which BTW was never on the DC. So are you
>> >saying
>> >>> > that with the SeInteractiveLogonRight app, I just
>> >need to
>> >>> > change to the directory in which it resides on a
>> >>> > workstation and do a path as spelled out to the
>> >affected
>> >>> > server over the network?? OK, I just tried that
and
>> it
>> >>> > obviously went through it's process and returned
to
>> >the
>> >>> > prompt. I tried logging in to the server and still
>> >got the
>> >>> > same message. I may have also changed something
>> >inside
>> >>> > the control panel>administrative tools>local
security
>> >>> > setings on the effected server and for sure on
>> server
>> >#2
>> >>> > (where the P.O.S. application had been
installed). I
>> >had
>> >>> > to change the default policy from the #2 server to
>> the
>> >>> > domain from within the drop-down list box at the
top
>> >of
>> >>> > the window. Would changes made on a sever that is
>> >being
>> >>> > replicated to, replicate back to the DC?
>> >>> >
>> >>> > I'm at my wits end on this. Any other suggestions
>> >would be
>> >>> > greatly appreciated.
>> >>> >
>> >>> > Dave
>> >>> >>-----Original Message-----
>> >>> >>Dave
>> >>> >>
>> >>> >>If your saying you cannot logon to anything in the
>> >domain
>> >>> > that is another
>> >>> >>story with a whole lot of different questions
>> attached
>> >>> > you state Server in
>> >>> >>the subject but
>> >>> >>is this server a DC or Member server, is it the
>> only
>> >DC,
>> >>> > what group policy
>> >>> >>was changed, what changes were made to that policy
>> >>> >>etc etc.....
>> >>> >>
>> >>> >>You will have to say if this is the case and the
>> >>> > questions will start from
>> >>> >>there.
>> >>> >>
>> >>> >>else I am assuming that your talking 1 server
>> affected
>> >>> > under a GPO change
>> >>> >>and the SeInteractiveLoginRight has been removed
from
>> >>> > some group such as
>> >>> >>Administrators or Everyone (quite common that's
why
>> >Joe
>> >>> > did the tool) and
>> >>> >>you have workstation access with network access or
>> >>> > another server to login
>> >>> >>to.
>> >>> >>
>> >>> >>If this is the case then you just point the exe at
>> the
>> >>> > problem machine and
>> >>> >>input the details.
>> >>> >>(Hint Try a local admin account on a machine if
the
>> >>> > domain account cannot
>> >>> >>login, then run the cmd prompt using "run as" and
>> >input
>> >>> > your domain account
>> >>> >>details)
>> >>> >>(Hint 2 is it a server in remote admin mode then
try
>> >TS
>> >>> > connection to the
>> >>> >>server and login that way, if you normally TS on
for
>> >>> > access then try the
>> >>> >>console.)
>> >>> >>
>> >>> >>So say server 1 is the problem in domain 1 for
>> admin1
>> >and
>> >>> > he gets the error
>> >>> >>trying to logon
>> >>> >>open a command prompt on a workstation on the
domain
>> >that
>> >>> > has network access
>> >>> >>SeInteractiveLogonRight domain1\admin1 server1
>> >>> >>
>> >>> >>
>> >>> >>You can do the same with NTRights.exe as well from
>> the
>> >>> > resource kit except
>> >>> >>this has access to other settings.
>> >>> >>
>> >>> >>Help details from the Exe
>> >>> >>SeInteractiveLogonRight V00.10.00cpp
joe@joeware.net
>> >>> > September 2001
>> >>> >>
>> >>> >> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]
>> >Account>
>> >>> > [TargetMachine]
>> >>> >> Will set SeInteractiveLogonRight for
account
>> >on
>> >>> > targetmachine
>> >>> >> Will clear SeDenyInteractiveLogonRight for
>> >>> > account on targetmachine
>> >>> >>
>> >>> >> Will remove Everyone well known group from
>> >>> >>SeDenyInteractiveLogonRight on targetmachine
>> >>> >>
>> >>> >> Example: sEINTERACTIVELOGONRIGHT
>> >>> > joehome\$jricha34 pro2
>> >>> >>
>> >>> >>
>> >>> >>If this is not the case then post back with some
>> >specific
>> >>> > details on the
>> >>> >>situation, the lists are good but my crystal ball
is
>> >on
>> >>> > the blink at the
>> >>> >>moment with a hardware error ;-)
>> >>> >>
>> >>> >>hth
>> >>> >>Steve
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>Code based off of MSDN Library code LSAPRIV
>> >>> >>"Dave W" <anonymous@discussions.microsoft.com>
wrote
>> >in
>> >>> > message
>> >>> >>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
>> >>> >>> Thanks, but how do I "use" it? It's a little exe
>> >that
>> >>> >>> apparently must be run in a windows environment.
>> If
>> >I
>> >>> >>> can't logon, how do I do that?
>> >>> >>>
>> >>> >>> Dave
>> >>> >>> >-----Original Message-----
>> >>> >>> >Go here
>> >>> >>> >http://www.joeware.net/win32/index.html
>> >>> >>> >download the SeInteractiveLogonRight from the
>> >win32 c++
>> >>> >>> tools page have a
>> >>> >>> >read then run it and your good to go
>> >>> >>> >
>> >>> >>> >rgds
>> >>> >>> >Steve
>> >>> >>> >
>> >>> >>> >
>> >>> >>> >
>> >>> >>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote
in
>> >>> > message
>> >>> >>> >news:OjRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
>> >>> >>> >> Restart the computer into DS restore mode.
Try
>> to
>> >>> >>> change local GPO, or try
>> >>> >>> >> to change it from another computer.
>> >>> >>> >>
>> >>> >>> >> --
>> >>> >>> >> Regards
>> >>> >>> >> Christoffer Andersson
>> >>> >>> >> Microsoft MVP - Directory Services
>> >>> >>> >>
>> >>> >>> >> No email replies please - reply in the
newsgroup
>> >>> >>> >> ---------------------------------------------
---
>> >>> >>> >>
http://www.chrisse.se - Active Directory Tips
>> >>> >>> >>
>> >>> >>> >> "Dave W"
<anonymous@discussions.microsoft.com>
>> >skrev
>> >>> > i
>> >>> >>> meddelandet
>> >>> >>> >> news:2f7e01c4a4bc$03ecbd30
$a301280a@phx.gbl...
>> >>> >>> >> > Some changes were made to group policy
>> several
>> >days
>> >>> >>> ago
>> >>> >>> >> > and something musta got screwed up because
I
>> >cannot
>> >>> >>> log
>> >>> >>> >> > back in now that I have logged out. I get
the
>> >>> >>> following
>> >>> >>> >> > message after the failed login: "the local
>> >policy
>> >>> > of
>> >>> >>> this
>> >>> >>> >> > system does not permit you to logon
>> >interactively"
>> >>> >>> >> > Is there anything that I can do?
>> >>> >>> >>
>> >>> >>> >>
>> >>> >>> >
>> >>> >>> >
>> >>> >>> >.
>> >>> >>> >
>> >>> >>
>> >>> >>
>> >>> >>.
>> >>> >>
>> >>>
>> >>>
>> >>
>> >>
>> >>.
>> >>
>> >.
>> >
>
>
>.
>