Sign in with
Sign up | Sign in
Your question

HELP!!! Unable to logon to Server 2000

Last response: in Windows 2000/NT
Share
Anonymous
September 27, 2004 3:01:29 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Some changes were made to group policy several days ago
and something musta got screwed up because I cannot log
back in now that I have logged out. I get the following
message after the failed login: "the local policy of this
system does not permit you to logon interactively"
Is there anything that I can do?

More about : unable logon server 2000

Anonymous
September 28, 2004 1:08:09 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Restart the computer into DS restore mode. Try to change local GPO, or try
to change it from another computer.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Dave W" <anonymous@discussions.microsoft.com> skrev i meddelandet
news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
> Some changes were made to group policy several days ago
> and something musta got screwed up because I cannot log
> back in now that I have logged out. I get the following
> message after the failed login: "the local policy of this
> system does not permit you to logon interactively"
> Is there anything that I can do?
September 28, 2004 1:29:08 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the win32 c++ tools page have a
read then run it and your good to go

rgds
Steve



"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
> Restart the computer into DS restore mode. Try to change local GPO, or try
> to change it from another computer.
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "Dave W" <anonymous@discussions.microsoft.com> skrev i meddelandet
> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
> > Some changes were made to group policy several days ago
> > and something musta got screwed up because I cannot log
> > back in now that I have logged out. I get the following
> > message after the failed login: "the local policy of this
> > system does not permit you to logon interactively"
> > Is there anything that I can do?
>
>
Related resources
Anonymous
September 28, 2004 1:29:09 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment. If I
can't logon, how do I do that?

Dave
>-----Original Message-----
>Go here
>http://www.joeware.net/win32/index.html
>download the SeInteractiveLogonRight from the win32 c++
tools page have a
>read then run it and your good to go
>
>rgds
>Steve
>
>
>
>"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
>news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
>> Restart the computer into DS restore mode. Try to
change local GPO, or try
>> to change it from another computer.
>>
>> --
>> Regards
>> Christoffer Andersson
>> Microsoft MVP - Directory Services
>>
>> No email replies please - reply in the newsgroup
>> ------------------------------------------------
>> http://www.chrisse.se - Active Directory Tips
>>
>> "Dave W" <anonymous@discussions.microsoft.com> skrev i
meddelandet
>> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
>> > Some changes were made to group policy several days
ago
>> > and something musta got screwed up because I cannot
log
>> > back in now that I have logged out. I get the
following
>> > message after the failed login: "the local policy of
this
>> > system does not permit you to logon interactively"
>> > Is there anything that I can do?
>>
>>
>
>
>.
>
September 28, 2004 11:44:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Dave

If your saying you cannot logon to anything in the domain that is another
story with a whole lot of different questions attached you state Server in
the subject but
is this server a DC or Member server, is it the only DC, what group policy
was changed, what changes were made to that policy
etc etc.....

You will have to say if this is the case and the questions will start from
there.

else I am assuming that your talking 1 server affected under a GPO change
and the SeInteractiveLoginRight has been removed from some group such as
Administrators or Everyone (quite common that's why Joe did the tool) and
you have workstation access with network access or another server to login
to.

If this is the case then you just point the exe at the problem machine and
input the details.
(Hint Try a local admin account on a machine if the domain account cannot
login, then run the cmd prompt using "run as" and input your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS connection to the
server and login that way, if you normally TS on for access then try the
console.)

So say server 1 is the problem in domain 1 for admin1 and he gets the error
trying to logon
open a command prompt on a workstation on the domain that has network access
SeInteractiveLogonRight domain1\admin1 server1


You can do the same with NTRights.exe as well from the resource kit except
this has access to other settings.

Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp joe@joeware.net September 2001

Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account> [TargetMachine]
Will set SeInteractiveLogonRight for account on targetmachine
Will clear SeDenyInteractiveLogonRight for account on targetmachine

Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine

Example: sEINTERACTIVELOGONRIGHT joehome\$jricha34 pro2


If this is not the case then post back with some specific details on the
situation, the lists are good but my crystal ball is on the blink at the
moment with a hardware error ;-)

hth
Steve



Code based off of MSDN Library code LSAPRIV
"Dave W" <anonymous@discussions.microsoft.com> wrote in message
news:395801c4a569$5f36ea00$a301280a@phx.gbl...
> Thanks, but how do I "use" it? It's a little exe that
> apparently must be run in a windows environment. If I
> can't logon, how do I do that?
>
> Dave
> >-----Original Message-----
> >Go here
> >http://www.joeware.net/win32/index.html
> >download the SeInteractiveLogonRight from the win32 c++
> tools page have a
> >read then run it and your good to go
> >
> >rgds
> >Steve
> >
> >
> >
> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
> >> Restart the computer into DS restore mode. Try to
> change local GPO, or try
> >> to change it from another computer.
> >>
> >> --
> >> Regards
> >> Christoffer Andersson
> >> Microsoft MVP - Directory Services
> >>
> >> No email replies please - reply in the newsgroup
> >> ------------------------------------------------
> >> http://www.chrisse.se - Active Directory Tips
> >>
> >> "Dave W" <anonymous@discussions.microsoft.com> skrev i
> meddelandet
> >> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
> >> > Some changes were made to group policy several days
> ago
> >> > and something musta got screwed up because I cannot
> log
> >> > back in now that I have logged out. I get the
> following
> >> > message after the failed login: "the local policy of
> this
> >> > system does not permit you to logon interactively"
> >> > Is there anything that I can do?
> >>
> >>
> >
> >
> >.
> >
Anonymous
September 28, 2004 11:44:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Whew! Where to begin. The machine in question is the lone
DC in a single AD domain. I do have another server that I
work on that is beiing replicated to though(I think). All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them will log
in. I first noticed the problem over the past weekend when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the GPO that
I screwed with was the one for the DC's as the one for the
domain is and has been disabled for some time. I have been
able to connect to the AD users & computers through my PC
(server #2)and the log on locally has all the users and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app that
wouldn't start it's engine so I thought that the log on
parameters were the place to go. I have since uninstalled
the app, which BTW was never on the DC. So are you saying
that with the SeInteractiveLogonRight app, I just need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the affected
server over the network?? OK, I just tried that and it
obviously went through it's process and returned to the
prompt. I tried logging in to the server and still got the
same message. I may have also changed something inside
the control panel>administrative tools>local security
setings on the effected server and for sure on server #2
(where the P.O.S. application had been installed). I had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top of
the window. Would changes made on a sever that is being
replicated to, replicate back to the DC?

I'm at my wits end on this. Any other suggestions would be
greatly appreciated.

Dave
>-----Original Message-----
>Dave
>
>If your saying you cannot logon to anything in the domain
that is another
>story with a whole lot of different questions attached
you state Server in
>the subject but
>is this server a DC or Member server, is it the only DC,
what group policy
>was changed, what changes were made to that policy
>etc etc.....
>
>You will have to say if this is the case and the
questions will start from
>there.
>
>else I am assuming that your talking 1 server affected
under a GPO change
>and the SeInteractiveLoginRight has been removed from
some group such as
>Administrators or Everyone (quite common that's why Joe
did the tool) and
>you have workstation access with network access or
another server to login
>to.
>
>If this is the case then you just point the exe at the
problem machine and
>input the details.
>(Hint Try a local admin account on a machine if the
domain account cannot
>login, then run the cmd prompt using "run as" and input
your domain account
>details)
>(Hint 2 is it a server in remote admin mode then try TS
connection to the
>server and login that way, if you normally TS on for
access then try the
>console.)
>
>So say server 1 is the problem in domain 1 for admin1 and
he gets the error
>trying to logon
>open a command prompt on a workstation on the domain that
has network access
>SeInteractiveLogonRight domain1\admin1 server1
>
>
>You can do the same with NTRights.exe as well from the
resource kit except
>this has access to other settings.
>
>Help details from the Exe
>SeInteractiveLogonRight V00.10.00cpp joe@joeware.net
September 2001
>
> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account>
[TargetMachine]
> Will set SeInteractiveLogonRight for account on
targetmachine
> Will clear SeDenyInteractiveLogonRight for
account on targetmachine
>
> Will remove Everyone well known group from
>SeDenyInteractiveLogonRight on targetmachine
>
> Example: sEINTERACTIVELOGONRIGHT
joehome\$jricha34 pro2
>
>
>If this is not the case then post back with some specific
details on the
>situation, the lists are good but my crystal ball is on
the blink at the
>moment with a hardware error ;-)
>
>hth
>Steve
>
>
>
>Code based off of MSDN Library code LSAPRIV
>"Dave W" <anonymous@discussions.microsoft.com> wrote in
message
>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
>> Thanks, but how do I "use" it? It's a little exe that
>> apparently must be run in a windows environment. If I
>> can't logon, how do I do that?
>>
>> Dave
>> >-----Original Message-----
>> >Go here
>> >http://www.joeware.net/win32/index.html
>> >download the SeInteractiveLogonRight from the win32 c++
>> tools page have a
>> >read then run it and your good to go
>> >
>> >rgds
>> >Steve
>> >
>> >
>> >
>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in
message
>> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
>> >> Restart the computer into DS restore mode. Try to
>> change local GPO, or try
>> >> to change it from another computer.
>> >>
>> >> --
>> >> Regards
>> >> Christoffer Andersson
>> >> Microsoft MVP - Directory Services
>> >>
>> >> No email replies please - reply in the newsgroup
>> >> ------------------------------------------------
>> >> http://www.chrisse.se - Active Directory Tips
>> >>
>> >> "Dave W" <anonymous@discussions.microsoft.com> skrev
i
>> meddelandet
>> >> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
>> >> > Some changes were made to group policy several days
>> ago
>> >> > and something musta got screwed up because I cannot
>> log
>> >> > back in now that I have logged out. I get the
>> following
>> >> > message after the failed login: "the local policy
of
>> this
>> >> > system does not permit you to logon interactively"
>> >> > Is there anything that I can do?
>> >>
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
September 29, 2004 4:33:55 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Install Adminpak on one of your Windows 2000 domain computers that you can
logon to as a domain administrator and use it to modify the problem policy
from that computer. My guess is that the change was made in Domain
Controller Security Policy under security settings/local policies/user
rights. Look at the two user rights for logon locally and deny logon
locally. By default administrators is in the logon locally for domain
controllers and the deny logon locally is defined but empty. If there is
more than one GPO in the domain controller container you will need to check
them all for those user rights. Adminpak is on the server install disk in
the I386 folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;216999

"Dave W" <anonymous@discussions.microsoft.com> wrote in message
news:050b01c4a5b7$ed991f90$a401280a@phx.gbl...
> Whew! Where to begin. The machine in question is the lone
> DC in a single AD domain. I do have another server that I
> work on that is beiing replicated to though(I think). All
> the other machines can be logged into. I have tried
> several other accounts on the DC and none of them will log
> in. I first noticed the problem over the past weekend when
> I tried to connect from home via term. serv's. The
> same "interactive logging" message. I believe the GPO that
> I screwed with was the one for the DC's as the one for the
> domain is and has been disabled for some time. I have been
> able to connect to the AD users & computers through my PC
> (server #2)and the log on locally has all the users and
> groups that I believe are necessary. The program that
> precipitated this with the GPO was a mail/spam app that
> wouldn't start it's engine so I thought that the log on
> parameters were the place to go. I have since uninstalled
> the app, which BTW was never on the DC. So are you saying
> that with the SeInteractiveLogonRight app, I just need to
> change to the directory in which it resides on a
> workstation and do a path as spelled out to the affected
> server over the network?? OK, I just tried that and it
> obviously went through it's process and returned to the
> prompt. I tried logging in to the server and still got the
> same message. I may have also changed something inside
> the control panel>administrative tools>local security
> setings on the effected server and for sure on server #2
> (where the P.O.S. application had been installed). I had
> to change the default policy from the #2 server to the
> domain from within the drop-down list box at the top of
> the window. Would changes made on a sever that is being
> replicated to, replicate back to the DC?
>
> I'm at my wits end on this. Any other suggestions would be
> greatly appreciated.
>
> Dave
>>-----Original Message-----
>>Dave
>>
>>If your saying you cannot logon to anything in the domain
> that is another
>>story with a whole lot of different questions attached
> you state Server in
>>the subject but
>>is this server a DC or Member server, is it the only DC,
> what group policy
>>was changed, what changes were made to that policy
>>etc etc.....
>>
>>You will have to say if this is the case and the
> questions will start from
>>there.
>>
>>else I am assuming that your talking 1 server affected
> under a GPO change
>>and the SeInteractiveLoginRight has been removed from
> some group such as
>>Administrators or Everyone (quite common that's why Joe
> did the tool) and
>>you have workstation access with network access or
> another server to login
>>to.
>>
>>If this is the case then you just point the exe at the
> problem machine and
>>input the details.
>>(Hint Try a local admin account on a machine if the
> domain account cannot
>>login, then run the cmd prompt using "run as" and input
> your domain account
>>details)
>>(Hint 2 is it a server in remote admin mode then try TS
> connection to the
>>server and login that way, if you normally TS on for
> access then try the
>>console.)
>>
>>So say server 1 is the problem in domain 1 for admin1 and
> he gets the error
>>trying to logon
>>open a command prompt on a workstation on the domain that
> has network access
>>SeInteractiveLogonRight domain1\admin1 server1
>>
>>
>>You can do the same with NTRights.exe as well from the
> resource kit except
>>this has access to other settings.
>>
>>Help details from the Exe
>>SeInteractiveLogonRight V00.10.00cpp joe@joeware.net
> September 2001
>>
>> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account>
> [TargetMachine]
>> Will set SeInteractiveLogonRight for account on
> targetmachine
>> Will clear SeDenyInteractiveLogonRight for
> account on targetmachine
>>
>> Will remove Everyone well known group from
>>SeDenyInteractiveLogonRight on targetmachine
>>
>> Example: sEINTERACTIVELOGONRIGHT
> joehome\$jricha34 pro2
>>
>>
>>If this is not the case then post back with some specific
> details on the
>>situation, the lists are good but my crystal ball is on
> the blink at the
>>moment with a hardware error ;-)
>>
>>hth
>>Steve
>>
>>
>>
>>Code based off of MSDN Library code LSAPRIV
>>"Dave W" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
>>> Thanks, but how do I "use" it? It's a little exe that
>>> apparently must be run in a windows environment. If I
>>> can't logon, how do I do that?
>>>
>>> Dave
>>> >-----Original Message-----
>>> >Go here
>>> >http://www.joeware.net/win32/index.html
>>> >download the SeInteractiveLogonRight from the win32 c++
>>> tools page have a
>>> >read then run it and your good to go
>>> >
>>> >rgds
>>> >Steve
>>> >
>>> >
>>> >
>>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in
> message
>>> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
>>> >> Restart the computer into DS restore mode. Try to
>>> change local GPO, or try
>>> >> to change it from another computer.
>>> >>
>>> >> --
>>> >> Regards
>>> >> Christoffer Andersson
>>> >> Microsoft MVP - Directory Services
>>> >>
>>> >> No email replies please - reply in the newsgroup
>>> >> ------------------------------------------------
>>> >> http://www.chrisse.se - Active Directory Tips
>>> >>
>>> >> "Dave W" <anonymous@discussions.microsoft.com> skrev
> i
>>> meddelandet
>>> >> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
>>> >> > Some changes were made to group policy several days
>>> ago
>>> >> > and something musta got screwed up because I cannot
>>> log
>>> >> > back in now that I have logged out. I get the
>>> following
>>> >> > message after the failed login: "the local policy
> of
>>> this
>>> >> > system does not permit you to logon interactively"
>>> >> > Is there anything that I can do?
>>> >>
>>> >>
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
September 29, 2004 12:32:43 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Dave
Other Steve here
how are you doing on this at present ? have you managed to get to the policy
yet?

Your correct on the operation of the tool open the cmd prompt on the
directory it resides and run it

so to grant the Administrator Group the local logon right just type
SeinteractiveLogonRight DomainName\Administrators ServerName
this would clear the local settings in the local security policy on the
server

If you have changed the default domain controllers policy
then as Steve L states use the adminpak on another machine to change that
policy as well.

rgds
Steve


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Spn6d.274636$mD.74234@attbi_s02...
> Install Adminpak on one of your Windows 2000 domain computers that you can
> logon to as a domain administrator and use it to modify the problem policy
> from that computer. My guess is that the change was made in Domain
> Controller Security Policy under security settings/local policies/user
> rights. Look at the two user rights for logon locally and deny logon
> locally. By default administrators is in the logon locally for domain
> controllers and the deny logon locally is defined but empty. If there is
> more than one GPO in the domain controller container you will need to
check
> them all for those user rights. Adminpak is on the server install disk in
> the I386 folder. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;216999
>
> "Dave W" <anonymous@discussions.microsoft.com> wrote in message
> news:050b01c4a5b7$ed991f90$a401280a@phx.gbl...
> > Whew! Where to begin. The machine in question is the lone
> > DC in a single AD domain. I do have another server that I
> > work on that is beiing replicated to though(I think). All
> > the other machines can be logged into. I have tried
> > several other accounts on the DC and none of them will log
> > in. I first noticed the problem over the past weekend when
> > I tried to connect from home via term. serv's. The
> > same "interactive logging" message. I believe the GPO that
> > I screwed with was the one for the DC's as the one for the
> > domain is and has been disabled for some time. I have been
> > able to connect to the AD users & computers through my PC
> > (server #2)and the log on locally has all the users and
> > groups that I believe are necessary. The program that
> > precipitated this with the GPO was a mail/spam app that
> > wouldn't start it's engine so I thought that the log on
> > parameters were the place to go. I have since uninstalled
> > the app, which BTW was never on the DC. So are you saying
> > that with the SeInteractiveLogonRight app, I just need to
> > change to the directory in which it resides on a
> > workstation and do a path as spelled out to the affected
> > server over the network?? OK, I just tried that and it
> > obviously went through it's process and returned to the
> > prompt. I tried logging in to the server and still got the
> > same message. I may have also changed something inside
> > the control panel>administrative tools>local security
> > setings on the effected server and for sure on server #2
> > (where the P.O.S. application had been installed). I had
> > to change the default policy from the #2 server to the
> > domain from within the drop-down list box at the top of
> > the window. Would changes made on a sever that is being
> > replicated to, replicate back to the DC?
> >
> > I'm at my wits end on this. Any other suggestions would be
> > greatly appreciated.
> >
> > Dave
> >>-----Original Message-----
> >>Dave
> >>
> >>If your saying you cannot logon to anything in the domain
> > that is another
> >>story with a whole lot of different questions attached
> > you state Server in
> >>the subject but
> >>is this server a DC or Member server, is it the only DC,
> > what group policy
> >>was changed, what changes were made to that policy
> >>etc etc.....
> >>
> >>You will have to say if this is the case and the
> > questions will start from
> >>there.
> >>
> >>else I am assuming that your talking 1 server affected
> > under a GPO change
> >>and the SeInteractiveLoginRight has been removed from
> > some group such as
> >>Administrators or Everyone (quite common that's why Joe
> > did the tool) and
> >>you have workstation access with network access or
> > another server to login
> >>to.
> >>
> >>If this is the case then you just point the exe at the
> > problem machine and
> >>input the details.
> >>(Hint Try a local admin account on a machine if the
> > domain account cannot
> >>login, then run the cmd prompt using "run as" and input
> > your domain account
> >>details)
> >>(Hint 2 is it a server in remote admin mode then try TS
> > connection to the
> >>server and login that way, if you normally TS on for
> > access then try the
> >>console.)
> >>
> >>So say server 1 is the problem in domain 1 for admin1 and
> > he gets the error
> >>trying to logon
> >>open a command prompt on a workstation on the domain that
> > has network access
> >>SeInteractiveLogonRight domain1\admin1 server1
> >>
> >>
> >>You can do the same with NTRights.exe as well from the
> > resource kit except
> >>this has access to other settings.
> >>
> >>Help details from the Exe
> >>SeInteractiveLogonRight V00.10.00cpp joe@joeware.net
> > September 2001
> >>
> >> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]Account>
> > [TargetMachine]
> >> Will set SeInteractiveLogonRight for account on
> > targetmachine
> >> Will clear SeDenyInteractiveLogonRight for
> > account on targetmachine
> >>
> >> Will remove Everyone well known group from
> >>SeDenyInteractiveLogonRight on targetmachine
> >>
> >> Example: sEINTERACTIVELOGONRIGHT
> > joehome\$jricha34 pro2
> >>
> >>
> >>If this is not the case then post back with some specific
> > details on the
> >>situation, the lists are good but my crystal ball is on
> > the blink at the
> >>moment with a hardware error ;-)
> >>
> >>hth
> >>Steve
> >>
> >>
> >>
> >>Code based off of MSDN Library code LSAPRIV
> >>"Dave W" <anonymous@discussions.microsoft.com> wrote in
> > message
> >>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
> >>> Thanks, but how do I "use" it? It's a little exe that
> >>> apparently must be run in a windows environment. If I
> >>> can't logon, how do I do that?
> >>>
> >>> Dave
> >>> >-----Original Message-----
> >>> >Go here
> >>> >http://www.joeware.net/win32/index.html
> >>> >download the SeInteractiveLogonRight from the win32 c++
> >>> tools page have a
> >>> >read then run it and your good to go
> >>> >
> >>> >rgds
> >>> >Steve
> >>> >
> >>> >
> >>> >
> >>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in
> > message
> >>> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
> >>> >> Restart the computer into DS restore mode. Try to
> >>> change local GPO, or try
> >>> >> to change it from another computer.
> >>> >>
> >>> >> --
> >>> >> Regards
> >>> >> Christoffer Andersson
> >>> >> Microsoft MVP - Directory Services
> >>> >>
> >>> >> No email replies please - reply in the newsgroup
> >>> >> ------------------------------------------------
> >>> >> http://www.chrisse.se - Active Directory Tips
> >>> >>
> >>> >> "Dave W" <anonymous@discussions.microsoft.com> skrev
> > i
> >>> meddelandet
> >>> >> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
> >>> >> > Some changes were made to group policy several days
> >>> ago
> >>> >> > and something musta got screwed up because I cannot
> >>> log
> >>> >> > back in now that I have logged out. I get the
> >>> following
> >>> >> > message after the failed login: "the local policy
> > of
> >>> this
> >>> >> > system does not permit you to logon interactively"
> >>> >> > Is there anything that I can do?
> >>> >>
> >>> >>
> >>> >
> >>> >
> >>> >.
> >>> >
> >>
> >>
> >>.
> >>
>
>
Anonymous
September 29, 2004 4:23:41 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Still can't logon to that machine. I ran the
SeInteractiveLogonRight app again and got an error msg
this time. In your post you spelled out the command
as "SeinteractiveLogonRight DomainName\Administrators
ServerName". Is "administrators" literal, including the
pluralization? Anyways, I do have the Administrative Tools
on my Program Menu (on my server#2) so I am able to access
the controls for the domain Contrioller (server#1). I have
checked the GPO for the DC group and it is exactly as I've
been told to set it(enable but don't specify for the "deny
logon" and the "logon locally" has the administrator (as
well as quite a few others in it). At the moment it's not
a crisis, but I can see that happening at some point. Our
Exchange server is on that server. I can access various
file and folders through the Network Neighborhood as well.
That includes the "sysvol" share and others. II have even
tried disabling all of the policies .
>-----Original Message-----
>Dave
>Other Steve here
>how are you doing on this at present ? have you managed
to get to the policy
>yet?
>
>Your correct on the operation of the tool open the cmd
prompt on the
>directory it resides and run it
>
>so to grant the Administrator Group the local logon right
just type
>SeinteractiveLogonRight DomainName\Administrators
ServerName
>this would clear the local settings in the local security
policy on the
>server
>
>If you have changed the default domain controllers policy
>then as Steve L states use the adminpak on another
machine to change that
>policy as well.
>
>rgds
>Steve
>
>
>"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>
wrote in message
>news:Spn6d.274636$mD.74234@attbi_s02...
>> Install Adminpak on one of your Windows 2000 domain
computers that you can
>> logon to as a domain administrator and use it to modify
the problem policy
>> from that computer. My guess is that the change was
made in Domain
>> Controller Security Policy under security
settings/local policies/user
>> rights. Look at the two user rights for logon locally
and deny logon
>> locally. By default administrators is in the logon
locally for domain
>> controllers and the deny logon locally is defined but
empty. If there is
>> more than one GPO in the domain controller container
you will need to
>check
>> them all for those user rights. Adminpak is on the
server install disk in
>> the I386 folder. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-
us;216999
>>
>> "Dave W" <anonymous@discussions.microsoft.com> wrote in
message
>> news:050b01c4a5b7$ed991f90$a401280a@phx.gbl...
>> > Whew! Where to begin. The machine in question is the
lone
>> > DC in a single AD domain. I do have another server
that I
>> > work on that is beiing replicated to though(I think).
All
>> > the other machines can be logged into. I have tried
>> > several other accounts on the DC and none of them
will log
>> > in. I first noticed the problem over the past weekend
when
>> > I tried to connect from home via term. serv's. The
>> > same "interactive logging" message. I believe the GPO
that
>> > I screwed with was the one for the DC's as the one
for the
>> > domain is and has been disabled for some time. I have
been
>> > able to connect to the AD users & computers through
my PC
>> > (server #2)and the log on locally has all the users
and
>> > groups that I believe are necessary. The program that
>> > precipitated this with the GPO was a mail/spam app
that
>> > wouldn't start it's engine so I thought that the log
on
>> > parameters were the place to go. I have since
uninstalled
>> > the app, which BTW was never on the DC. So are you
saying
>> > that with the SeInteractiveLogonRight app, I just
need to
>> > change to the directory in which it resides on a
>> > workstation and do a path as spelled out to the
affected
>> > server over the network?? OK, I just tried that and it
>> > obviously went through it's process and returned to
the
>> > prompt. I tried logging in to the server and still
got the
>> > same message. I may have also changed something
inside
>> > the control panel>administrative tools>local security
>> > setings on the effected server and for sure on server
#2
>> > (where the P.O.S. application had been installed). I
had
>> > to change the default policy from the #2 server to the
>> > domain from within the drop-down list box at the top
of
>> > the window. Would changes made on a sever that is
being
>> > replicated to, replicate back to the DC?
>> >
>> > I'm at my wits end on this. Any other suggestions
would be
>> > greatly appreciated.
>> >
>> > Dave
>> >>-----Original Message-----
>> >>Dave
>> >>
>> >>If your saying you cannot logon to anything in the
domain
>> > that is another
>> >>story with a whole lot of different questions attached
>> > you state Server in
>> >>the subject but
>> >>is this server a DC or Member server, is it the only
DC,
>> > what group policy
>> >>was changed, what changes were made to that policy
>> >>etc etc.....
>> >>
>> >>You will have to say if this is the case and the
>> > questions will start from
>> >>there.
>> >>
>> >>else I am assuming that your talking 1 server affected
>> > under a GPO change
>> >>and the SeInteractiveLoginRight has been removed from
>> > some group such as
>> >>Administrators or Everyone (quite common that's why
Joe
>> > did the tool) and
>> >>you have workstation access with network access or
>> > another server to login
>> >>to.
>> >>
>> >>If this is the case then you just point the exe at the
>> > problem machine and
>> >>input the details.
>> >>(Hint Try a local admin account on a machine if the
>> > domain account cannot
>> >>login, then run the cmd prompt using "run as" and
input
>> > your domain account
>> >>details)
>> >>(Hint 2 is it a server in remote admin mode then try
TS
>> > connection to the
>> >>server and login that way, if you normally TS on for
>> > access then try the
>> >>console.)
>> >>
>> >>So say server 1 is the problem in domain 1 for admin1
and
>> > he gets the error
>> >>trying to logon
>> >>open a command prompt on a workstation on the domain
that
>> > has network access
>> >>SeInteractiveLogonRight domain1\admin1 server1
>> >>
>> >>
>> >>You can do the same with NTRights.exe as well from the
>> > resource kit except
>> >>this has access to other settings.
>> >>
>> >>Help details from the Exe
>> >>SeInteractiveLogonRight V00.10.00cpp joe@joeware.net
>> > September 2001
>> >>
>> >> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]
Account>
>> > [TargetMachine]
>> >> Will set SeInteractiveLogonRight for account
on
>> > targetmachine
>> >> Will clear SeDenyInteractiveLogonRight for
>> > account on targetmachine
>> >>
>> >> Will remove Everyone well known group from
>> >>SeDenyInteractiveLogonRight on targetmachine
>> >>
>> >> Example: sEINTERACTIVELOGONRIGHT
>> > joehome\$jricha34 pro2
>> >>
>> >>
>> >>If this is not the case then post back with some
specific
>> > details on the
>> >>situation, the lists are good but my crystal ball is
on
>> > the blink at the
>> >>moment with a hardware error ;-)
>> >>
>> >>hth
>> >>Steve
>> >>
>> >>
>> >>
>> >>Code based off of MSDN Library code LSAPRIV
>> >>"Dave W" <anonymous@discussions.microsoft.com> wrote
in
>> > message
>> >>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
>> >>> Thanks, but how do I "use" it? It's a little exe
that
>> >>> apparently must be run in a windows environment. If
I
>> >>> can't logon, how do I do that?
>> >>>
>> >>> Dave
>> >>> >-----Original Message-----
>> >>> >Go here
>> >>> >http://www.joeware.net/win32/index.html
>> >>> >download the SeInteractiveLogonRight from the
win32 c++
>> >>> tools page have a
>> >>> >read then run it and your good to go
>> >>> >
>> >>> >rgds
>> >>> >Steve
>> >>> >
>> >>> >
>> >>> >
>> >>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in
>> > message
>> >>> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
>> >>> >> Restart the computer into DS restore mode. Try to
>> >>> change local GPO, or try
>> >>> >> to change it from another computer.
>> >>> >>
>> >>> >> --
>> >>> >> Regards
>> >>> >> Christoffer Andersson
>> >>> >> Microsoft MVP - Directory Services
>> >>> >>
>> >>> >> No email replies please - reply in the newsgroup
>> >>> >> ------------------------------------------------
>> >>> >> http://www.chrisse.se - Active Directory Tips
>> >>> >>
>> >>> >> "Dave W" <anonymous@discussions.microsoft.com>
skrev
>> > i
>> >>> meddelandet
>> >>> >> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
>> >>> >> > Some changes were made to group policy several
days
>> >>> ago
>> >>> >> > and something musta got screwed up because I
cannot
>> >>> log
>> >>> >> > back in now that I have logged out. I get the
>> >>> following
>> >>> >> > message after the failed login: "the local
policy
>> > of
>> >>> this
>> >>> >> > system does not permit you to logon
interactively"
>> >>> >> > Is there anything that I can do?
>> >>> >>
>> >>> >>
>> >>> >
>> >>> >
>> >>> >.
>> >>> >
>> >>
>> >>
>> >>.
>> >>
>>
>>
>
>
>.
>
Anonymous
September 29, 2004 5:36:39 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Good News! For whatever reason I was just able to log on
to that server. Through the network I was able to change
the administrator's p/w from ******* to blank, but that
was like hours ago and it wouldn't let me in all morning
(after trying as many things as I did, I won't be able to
determine for certain what the problem was)I'll betcha
that I'll be able to connect from home tonight through
term/serv's too. Just want to thank everyone that tried to
help.

Dave
>-----Original Message-----
>Still can't logon to that machine. I ran the
>SeInteractiveLogonRight app again and got an error msg
>this time. In your post you spelled out the command
>as "SeinteractiveLogonRight DomainName\Administrators
>ServerName". Is "administrators" literal, including the
>pluralization? Anyways, I do have the Administrative
Tools
>on my Program Menu (on my server#2) so I am able to
access
>the controls for the domain Contrioller (server#1). I
have
>checked the GPO for the DC group and it is exactly as
I've
>been told to set it(enable but don't specify for
the "deny
>logon" and the "logon locally" has the administrator (as
>well as quite a few others in it). At the moment it's not
>a crisis, but I can see that happening at some point. Our
>Exchange server is on that server. I can access various
>file and folders through the Network Neighborhood as
well.
>That includes the "sysvol" share and others. II have even
>tried disabling all of the policies .
>>-----Original Message-----
>>Dave
>>Other Steve here
>>how are you doing on this at present ? have you managed
>to get to the policy
>>yet?
>>
>>Your correct on the operation of the tool open the cmd
>prompt on the
>>directory it resides and run it
>>
>>so to grant the Administrator Group the local logon
right
>just type
>>SeinteractiveLogonRight DomainName\Administrators
>ServerName
>>this would clear the local settings in the local
security
>policy on the
>>server
>>
>>If you have changed the default domain controllers policy
>>then as Steve L states use the adminpak on another
>machine to change that
>>policy as well.
>>
>>rgds
>>Steve
>>
>>
>>"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>
>wrote in message
>>news:Spn6d.274636$mD.74234@attbi_s02...
>>> Install Adminpak on one of your Windows 2000 domain
>computers that you can
>>> logon to as a domain administrator and use it to
modify
>the problem policy
>>> from that computer. My guess is that the change was
>made in Domain
>>> Controller Security Policy under security
>settings/local policies/user
>>> rights. Look at the two user rights for logon locally
>and deny logon
>>> locally. By default administrators is in the logon
>locally for domain
>>> controllers and the deny logon locally is defined but
>empty. If there is
>>> more than one GPO in the domain controller container
>you will need to
>>check
>>> them all for those user rights. Adminpak is on the
>server install disk in
>>> the I386 folder. --- Steve
>>>
>>> http://support.microsoft.com/default.aspx?scid=kb;en-
>us;216999
>>>
>>> "Dave W" <anonymous@discussions.microsoft.com> wrote
in
>message
>>> news:050b01c4a5b7$ed991f90$a401280a@phx.gbl...
>>> > Whew! Where to begin. The machine in question is the
>lone
>>> > DC in a single AD domain. I do have another server
>that I
>>> > work on that is beiing replicated to though(I
think).
>All
>>> > the other machines can be logged into. I have tried
>>> > several other accounts on the DC and none of them
>will log
>>> > in. I first noticed the problem over the past
weekend
>when
>>> > I tried to connect from home via term. serv's. The
>>> > same "interactive logging" message. I believe the
GPO
>that
>>> > I screwed with was the one for the DC's as the one
>for the
>>> > domain is and has been disabled for some time. I
have
>been
>>> > able to connect to the AD users & computers through
>my PC
>>> > (server #2)and the log on locally has all the users
>and
>>> > groups that I believe are necessary. The program that
>>> > precipitated this with the GPO was a mail/spam app
>that
>>> > wouldn't start it's engine so I thought that the log
>on
>>> > parameters were the place to go. I have since
>uninstalled
>>> > the app, which BTW was never on the DC. So are you
>saying
>>> > that with the SeInteractiveLogonRight app, I just
>need to
>>> > change to the directory in which it resides on a
>>> > workstation and do a path as spelled out to the
>affected
>>> > server over the network?? OK, I just tried that and
it
>>> > obviously went through it's process and returned to
>the
>>> > prompt. I tried logging in to the server and still
>got the
>>> > same message. I may have also changed something
>inside
>>> > the control panel>administrative tools>local security
>>> > setings on the effected server and for sure on
server
>#2
>>> > (where the P.O.S. application had been installed). I
>had
>>> > to change the default policy from the #2 server to
the
>>> > domain from within the drop-down list box at the top
>of
>>> > the window. Would changes made on a sever that is
>being
>>> > replicated to, replicate back to the DC?
>>> >
>>> > I'm at my wits end on this. Any other suggestions
>would be
>>> > greatly appreciated.
>>> >
>>> > Dave
>>> >>-----Original Message-----
>>> >>Dave
>>> >>
>>> >>If your saying you cannot logon to anything in the
>domain
>>> > that is another
>>> >>story with a whole lot of different questions
attached
>>> > you state Server in
>>> >>the subject but
>>> >>is this server a DC or Member server, is it the
only
>DC,
>>> > what group policy
>>> >>was changed, what changes were made to that policy
>>> >>etc etc.....
>>> >>
>>> >>You will have to say if this is the case and the
>>> > questions will start from
>>> >>there.
>>> >>
>>> >>else I am assuming that your talking 1 server
affected
>>> > under a GPO change
>>> >>and the SeInteractiveLoginRight has been removed from
>>> > some group such as
>>> >>Administrators or Everyone (quite common that's why
>Joe
>>> > did the tool) and
>>> >>you have workstation access with network access or
>>> > another server to login
>>> >>to.
>>> >>
>>> >>If this is the case then you just point the exe at
the
>>> > problem machine and
>>> >>input the details.
>>> >>(Hint Try a local admin account on a machine if the
>>> > domain account cannot
>>> >>login, then run the cmd prompt using "run as" and
>input
>>> > your domain account
>>> >>details)
>>> >>(Hint 2 is it a server in remote admin mode then try
>TS
>>> > connection to the
>>> >>server and login that way, if you normally TS on for
>>> > access then try the
>>> >>console.)
>>> >>
>>> >>So say server 1 is the problem in domain 1 for
admin1
>and
>>> > he gets the error
>>> >>trying to logon
>>> >>open a command prompt on a workstation on the domain
>that
>>> > has network access
>>> >>SeInteractiveLogonRight domain1\admin1 server1
>>> >>
>>> >>
>>> >>You can do the same with NTRights.exe as well from
the
>>> > resource kit except
>>> >>this has access to other settings.
>>> >>
>>> >>Help details from the Exe
>>> >>SeInteractiveLogonRight V00.10.00cpp joe@joeware.net
>>> > September 2001
>>> >>
>>> >> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]
>Account>
>>> > [TargetMachine]
>>> >> Will set SeInteractiveLogonRight for account
>on
>>> > targetmachine
>>> >> Will clear SeDenyInteractiveLogonRight for
>>> > account on targetmachine
>>> >>
>>> >> Will remove Everyone well known group from
>>> >>SeDenyInteractiveLogonRight on targetmachine
>>> >>
>>> >> Example: sEINTERACTIVELOGONRIGHT
>>> > joehome\$jricha34 pro2
>>> >>
>>> >>
>>> >>If this is not the case then post back with some
>specific
>>> > details on the
>>> >>situation, the lists are good but my crystal ball is
>on
>>> > the blink at the
>>> >>moment with a hardware error ;-)
>>> >>
>>> >>hth
>>> >>Steve
>>> >>
>>> >>
>>> >>
>>> >>Code based off of MSDN Library code LSAPRIV
>>> >>"Dave W" <anonymous@discussions.microsoft.com> wrote
>in
>>> > message
>>> >>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
>>> >>> Thanks, but how do I "use" it? It's a little exe
>that
>>> >>> apparently must be run in a windows environment.
If
>I
>>> >>> can't logon, how do I do that?
>>> >>>
>>> >>> Dave
>>> >>> >-----Original Message-----
>>> >>> >Go here
>>> >>> >http://www.joeware.net/win32/index.html
>>> >>> >download the SeInteractiveLogonRight from the
>win32 c++
>>> >>> tools page have a
>>> >>> >read then run it and your good to go
>>> >>> >
>>> >>> >rgds
>>> >>> >Steve
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in
>>> > message
>>> >>> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
>>> >>> >> Restart the computer into DS restore mode. Try
to
>>> >>> change local GPO, or try
>>> >>> >> to change it from another computer.
>>> >>> >>
>>> >>> >> --
>>> >>> >> Regards
>>> >>> >> Christoffer Andersson
>>> >>> >> Microsoft MVP - Directory Services
>>> >>> >>
>>> >>> >> No email replies please - reply in the newsgroup
>>> >>> >> ------------------------------------------------
>>> >>> >> http://www.chrisse.se - Active Directory Tips
>>> >>> >>
>>> >>> >> "Dave W" <anonymous@discussions.microsoft.com>
>skrev
>>> > i
>>> >>> meddelandet
>>> >>> >> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
>>> >>> >> > Some changes were made to group policy
several
>days
>>> >>> ago
>>> >>> >> > and something musta got screwed up because I
>cannot
>>> >>> log
>>> >>> >> > back in now that I have logged out. I get the
>>> >>> following
>>> >>> >> > message after the failed login: "the local
>policy
>>> > of
>>> >>> this
>>> >>> >> > system does not permit you to logon
>interactively"
>>> >>> >> > Is there anything that I can do?
>>> >>> >>
>>> >>> >>
>>> >>> >
>>> >>> >
>>> >>> >.
>>> >>> >
>>> >>
>>> >>
>>> >>.
>>> >>
>>>
>>>
>>
>>
>>.
>>
>.
>
September 30, 2004 12:07:50 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Great glad your back in to the server.

Sorry did slip with the extra s on Administrator my fault.
Rgds
Steve




"Dave W" <anonymous@discussions.microsoft.com> wrote in message
news:1b3001c4a664$05b70f40$a601280a@phx.gbl...
> Good News! For whatever reason I was just able to log on
> to that server. Through the network I was able to change
> the administrator's p/w from ******* to blank, but that
> was like hours ago and it wouldn't let me in all morning
> (after trying as many things as I did, I won't be able to
> determine for certain what the problem was)I'll betcha
> that I'll be able to connect from home tonight through
> term/serv's too. Just want to thank everyone that tried to
> help.
>
> Dave
> >-----Original Message-----
> >Still can't logon to that machine. I ran the
> >SeInteractiveLogonRight app again and got an error msg
> >this time. In your post you spelled out the command
> >as "SeinteractiveLogonRight DomainName\Administrators
> >ServerName". Is "administrators" literal, including the
> >pluralization? Anyways, I do have the Administrative
> Tools
> >on my Program Menu (on my server#2) so I am able to
> access
> >the controls for the domain Contrioller (server#1). I
> have
> >checked the GPO for the DC group and it is exactly as
> I've
> >been told to set it(enable but don't specify for
> the "deny
> >logon" and the "logon locally" has the administrator (as
> >well as quite a few others in it). At the moment it's not
> >a crisis, but I can see that happening at some point. Our
> >Exchange server is on that server. I can access various
> >file and folders through the Network Neighborhood as
> well.
> >That includes the "sysvol" share and others. II have even
> >tried disabling all of the policies .
> >>-----Original Message-----
> >>Dave
> >>Other Steve here
> >>how are you doing on this at present ? have you managed
> >to get to the policy
> >>yet?
> >>
> >>Your correct on the operation of the tool open the cmd
> >prompt on the
> >>directory it resides and run it
> >>
> >>so to grant the Administrator Group the local logon
> right
> >just type
> >>SeinteractiveLogonRight DomainName\Administrators
> >ServerName
> >>this would clear the local settings in the local
> security
> >policy on the
> >>server
> >>
> >>If you have changed the default domain controllers policy
> >>then as Steve L states use the adminpak on another
> >machine to change that
> >>policy as well.
> >>
> >>rgds
> >>Steve
> >>
> >>
> >>"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>
> >wrote in message
> >>news:Spn6d.274636$mD.74234@attbi_s02...
> >>> Install Adminpak on one of your Windows 2000 domain
> >computers that you can
> >>> logon to as a domain administrator and use it to
> modify
> >the problem policy
> >>> from that computer. My guess is that the change was
> >made in Domain
> >>> Controller Security Policy under security
> >settings/local policies/user
> >>> rights. Look at the two user rights for logon locally
> >and deny logon
> >>> locally. By default administrators is in the logon
> >locally for domain
> >>> controllers and the deny logon locally is defined but
> >empty. If there is
> >>> more than one GPO in the domain controller container
> >you will need to
> >>check
> >>> them all for those user rights. Adminpak is on the
> >server install disk in
> >>> the I386 folder. --- Steve
> >>>
> >>> http://support.microsoft.com/default.aspx?scid=kb;en-
> >us;216999
> >>>
> >>> "Dave W" <anonymous@discussions.microsoft.com> wrote
> in
> >message
> >>> news:050b01c4a5b7$ed991f90$a401280a@phx.gbl...
> >>> > Whew! Where to begin. The machine in question is the
> >lone
> >>> > DC in a single AD domain. I do have another server
> >that I
> >>> > work on that is beiing replicated to though(I
> think).
> >All
> >>> > the other machines can be logged into. I have tried
> >>> > several other accounts on the DC and none of them
> >will log
> >>> > in. I first noticed the problem over the past
> weekend
> >when
> >>> > I tried to connect from home via term. serv's. The
> >>> > same "interactive logging" message. I believe the
> GPO
> >that
> >>> > I screwed with was the one for the DC's as the one
> >for the
> >>> > domain is and has been disabled for some time. I
> have
> >been
> >>> > able to connect to the AD users & computers through
> >my PC
> >>> > (server #2)and the log on locally has all the users
> >and
> >>> > groups that I believe are necessary. The program that
> >>> > precipitated this with the GPO was a mail/spam app
> >that
> >>> > wouldn't start it's engine so I thought that the log
> >on
> >>> > parameters were the place to go. I have since
> >uninstalled
> >>> > the app, which BTW was never on the DC. So are you
> >saying
> >>> > that with the SeInteractiveLogonRight app, I just
> >need to
> >>> > change to the directory in which it resides on a
> >>> > workstation and do a path as spelled out to the
> >affected
> >>> > server over the network?? OK, I just tried that and
> it
> >>> > obviously went through it's process and returned to
> >the
> >>> > prompt. I tried logging in to the server and still
> >got the
> >>> > same message. I may have also changed something
> >inside
> >>> > the control panel>administrative tools>local security
> >>> > setings on the effected server and for sure on
> server
> >#2
> >>> > (where the P.O.S. application had been installed). I
> >had
> >>> > to change the default policy from the #2 server to
> the
> >>> > domain from within the drop-down list box at the top
> >of
> >>> > the window. Would changes made on a sever that is
> >being
> >>> > replicated to, replicate back to the DC?
> >>> >
> >>> > I'm at my wits end on this. Any other suggestions
> >would be
> >>> > greatly appreciated.
> >>> >
> >>> > Dave
> >>> >>-----Original Message-----
> >>> >>Dave
> >>> >>
> >>> >>If your saying you cannot logon to anything in the
> >domain
> >>> > that is another
> >>> >>story with a whole lot of different questions
> attached
> >>> > you state Server in
> >>> >>the subject but
> >>> >>is this server a DC or Member server, is it the
> only
> >DC,
> >>> > what group policy
> >>> >>was changed, what changes were made to that policy
> >>> >>etc etc.....
> >>> >>
> >>> >>You will have to say if this is the case and the
> >>> > questions will start from
> >>> >>there.
> >>> >>
> >>> >>else I am assuming that your talking 1 server
> affected
> >>> > under a GPO change
> >>> >>and the SeInteractiveLoginRight has been removed from
> >>> > some group such as
> >>> >>Administrators or Everyone (quite common that's why
> >Joe
> >>> > did the tool) and
> >>> >>you have workstation access with network access or
> >>> > another server to login
> >>> >>to.
> >>> >>
> >>> >>If this is the case then you just point the exe at
> the
> >>> > problem machine and
> >>> >>input the details.
> >>> >>(Hint Try a local admin account on a machine if the
> >>> > domain account cannot
> >>> >>login, then run the cmd prompt using "run as" and
> >input
> >>> > your domain account
> >>> >>details)
> >>> >>(Hint 2 is it a server in remote admin mode then try
> >TS
> >>> > connection to the
> >>> >>server and login that way, if you normally TS on for
> >>> > access then try the
> >>> >>console.)
> >>> >>
> >>> >>So say server 1 is the problem in domain 1 for
> admin1
> >and
> >>> > he gets the error
> >>> >>trying to logon
> >>> >>open a command prompt on a workstation on the domain
> >that
> >>> > has network access
> >>> >>SeInteractiveLogonRight domain1\admin1 server1
> >>> >>
> >>> >>
> >>> >>You can do the same with NTRights.exe as well from
> the
> >>> > resource kit except
> >>> >>this has access to other settings.
> >>> >>
> >>> >>Help details from the Exe
> >>> >>SeInteractiveLogonRight V00.10.00cpp joe@joeware.net
> >>> > September 2001
> >>> >>
> >>> >> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]
> >Account>
> >>> > [TargetMachine]
> >>> >> Will set SeInteractiveLogonRight for account
> >on
> >>> > targetmachine
> >>> >> Will clear SeDenyInteractiveLogonRight for
> >>> > account on targetmachine
> >>> >>
> >>> >> Will remove Everyone well known group from
> >>> >>SeDenyInteractiveLogonRight on targetmachine
> >>> >>
> >>> >> Example: sEINTERACTIVELOGONRIGHT
> >>> > joehome\$jricha34 pro2
> >>> >>
> >>> >>
> >>> >>If this is not the case then post back with some
> >specific
> >>> > details on the
> >>> >>situation, the lists are good but my crystal ball is
> >on
> >>> > the blink at the
> >>> >>moment with a hardware error ;-)
> >>> >>
> >>> >>hth
> >>> >>Steve
> >>> >>
> >>> >>
> >>> >>
> >>> >>Code based off of MSDN Library code LSAPRIV
> >>> >>"Dave W" <anonymous@discussions.microsoft.com> wrote
> >in
> >>> > message
> >>> >>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
> >>> >>> Thanks, but how do I "use" it? It's a little exe
> >that
> >>> >>> apparently must be run in a windows environment.
> If
> >I
> >>> >>> can't logon, how do I do that?
> >>> >>>
> >>> >>> Dave
> >>> >>> >-----Original Message-----
> >>> >>> >Go here
> >>> >>> >http://www.joeware.net/win32/index.html
> >>> >>> >download the SeInteractiveLogonRight from the
> >win32 c++
> >>> >>> tools page have a
> >>> >>> >read then run it and your good to go
> >>> >>> >
> >>> >>> >rgds
> >>> >>> >Steve
> >>> >>> >
> >>> >>> >
> >>> >>> >
> >>> >>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in
> >>> > message
> >>> >>> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
> >>> >>> >> Restart the computer into DS restore mode. Try
> to
> >>> >>> change local GPO, or try
> >>> >>> >> to change it from another computer.
> >>> >>> >>
> >>> >>> >> --
> >>> >>> >> Regards
> >>> >>> >> Christoffer Andersson
> >>> >>> >> Microsoft MVP - Directory Services
> >>> >>> >>
> >>> >>> >> No email replies please - reply in the newsgroup
> >>> >>> >> ------------------------------------------------
> >>> >>> >> http://www.chrisse.se - Active Directory Tips
> >>> >>> >>
> >>> >>> >> "Dave W" <anonymous@discussions.microsoft.com>
> >skrev
> >>> > i
> >>> >>> meddelandet
> >>> >>> >> news:2f7e01c4a4bc$03ecbd30$a301280a@phx.gbl...
> >>> >>> >> > Some changes were made to group policy
> several
> >days
> >>> >>> ago
> >>> >>> >> > and something musta got screwed up because I
> >cannot
> >>> >>> log
> >>> >>> >> > back in now that I have logged out. I get the
> >>> >>> following
> >>> >>> >> > message after the failed login: "the local
> >policy
> >>> > of
> >>> >>> this
> >>> >>> >> > system does not permit you to logon
> >interactively"
> >>> >>> >> > Is there anything that I can do?
> >>> >>> >>
> >>> >>> >>
> >>> >>> >
> >>> >>> >
> >>> >>> >.
> >>> >>> >
> >>> >>
> >>> >>
> >>> >>.
> >>> >>
> >>>
> >>>
> >>
> >>
> >>.
> >>
> >.
> >
Anonymous
September 30, 2004 12:19:41 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

A new problem has arisen, I believe because I ran that
little app from the command prompt, I cannot start my
exchange system manager now. I get the following
error: "Facility Win32, I.D. No. 8007203b Exchange System
Manager" I looked it up on the MS KB and it said to restrt
the Kerberos service in the services. I did, and it didn't
help. I think I wiped out some sort of authentication for
the exchange services by runing it. Is there some way to
revert, or undo, what I did?

Dave
>-----Original Message-----
>Great glad your back in to the server.
>
>Sorry did slip with the extra s on Administrator my fault.
>Rgds
>Steve
>
>
>
>
>"Dave W" <anonymous@discussions.microsoft.com> wrote in
message
>news:1b3001c4a664$05b70f40$a601280a@phx.gbl...
>> Good News! For whatever reason I was just able to log on
>> to that server. Through the network I was able to change
>> the administrator's p/w from ******* to blank, but that
>> was like hours ago and it wouldn't let me in all morning
>> (after trying as many things as I did, I won't be able
to
>> determine for certain what the problem was)I'll betcha
>> that I'll be able to connect from home tonight through
>> term/serv's too. Just want to thank everyone that tried
to
>> help.
>>
>> Dave
>> >-----Original Message-----
>> >Still can't logon to that machine. I ran the
>> >SeInteractiveLogonRight app again and got an error msg
>> >this time. In your post you spelled out the command
>> >as "SeinteractiveLogonRight DomainName\Administrators
>> >ServerName". Is "administrators" literal, including the
>> >pluralization? Anyways, I do have the Administrative
>> Tools
>> >on my Program Menu (on my server#2) so I am able to
>> access
>> >the controls for the domain Contrioller (server#1). I
>> have
>> >checked the GPO for the DC group and it is exactly as
>> I've
>> >been told to set it(enable but don't specify for
>> the "deny
>> >logon" and the "logon locally" has the administrator
(as
>> >well as quite a few others in it). At the moment it's
not
>> >a crisis, but I can see that happening at some point.
Our
>> >Exchange server is on that server. I can access various
>> >file and folders through the Network Neighborhood as
>> well.
>> >That includes the "sysvol" share and others. II have
even
>> >tried disabling all of the policies .
>> >>-----Original Message-----
>> >>Dave
>> >>Other Steve here
>> >>how are you doing on this at present ? have you
managed
>> >to get to the policy
>> >>yet?
>> >>
>> >>Your correct on the operation of the tool open the cmd
>> >prompt on the
>> >>directory it resides and run it
>> >>
>> >>so to grant the Administrator Group the local logon
>> right
>> >just type
>> >>SeinteractiveLogonRight DomainName\Administrators
>> >ServerName
>> >>this would clear the local settings in the local
>> security
>> >policy on the
>> >>server
>> >>
>> >>If you have changed the default domain controllers
policy
>> >>then as Steve L states use the adminpak on another
>> >machine to change that
>> >>policy as well.
>> >>
>> >>rgds
>> >>Steve
>> >>
>> >>
>> >>"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>
>> >wrote in message
>> >>news:Spn6d.274636$mD.74234@attbi_s02...
>> >>> Install Adminpak on one of your Windows 2000 domain
>> >computers that you can
>> >>> logon to as a domain administrator and use it to
>> modify
>> >the problem policy
>> >>> from that computer. My guess is that the change was
>> >made in Domain
>> >>> Controller Security Policy under security
>> >settings/local policies/user
>> >>> rights. Look at the two user rights for logon
locally
>> >and deny logon
>> >>> locally. By default administrators is in the logon
>> >locally for domain
>> >>> controllers and the deny logon locally is defined
but
>> >empty. If there is
>> >>> more than one GPO in the domain controller container
>> >you will need to
>> >>check
>> >>> them all for those user rights. Adminpak is on the
>> >server install disk in
>> >>> the I386 folder. --- Steve
>> >>>
>> >>> http://support.microsoft.com/default.aspx?
scid=kb;en-
>> >us;216999
>> >>>
>> >>> "Dave W" <anonymous@discussions.microsoft.com> wrote
>> in
>> >message
>> >>> news:050b01c4a5b7$ed991f90$a401280a@phx.gbl...
>> >>> > Whew! Where to begin. The machine in question is
the
>> >lone
>> >>> > DC in a single AD domain. I do have another server
>> >that I
>> >>> > work on that is beiing replicated to though(I
>> think).
>> >All
>> >>> > the other machines can be logged into. I have
tried
>> >>> > several other accounts on the DC and none of them
>> >will log
>> >>> > in. I first noticed the problem over the past
>> weekend
>> >when
>> >>> > I tried to connect from home via term. serv's. The
>> >>> > same "interactive logging" message. I believe the
>> GPO
>> >that
>> >>> > I screwed with was the one for the DC's as the one
>> >for the
>> >>> > domain is and has been disabled for some time. I
>> have
>> >been
>> >>> > able to connect to the AD users & computers
through
>> >my PC
>> >>> > (server #2)and the log on locally has all the
users
>> >and
>> >>> > groups that I believe are necessary. The program
that
>> >>> > precipitated this with the GPO was a mail/spam app
>> >that
>> >>> > wouldn't start it's engine so I thought that the
log
>> >on
>> >>> > parameters were the place to go. I have since
>> >uninstalled
>> >>> > the app, which BTW was never on the DC. So are you
>> >saying
>> >>> > that with the SeInteractiveLogonRight app, I just
>> >need to
>> >>> > change to the directory in which it resides on a
>> >>> > workstation and do a path as spelled out to the
>> >affected
>> >>> > server over the network?? OK, I just tried that
and
>> it
>> >>> > obviously went through it's process and returned
to
>> >the
>> >>> > prompt. I tried logging in to the server and still
>> >got the
>> >>> > same message. I may have also changed something
>> >inside
>> >>> > the control panel>administrative tools>local
security
>> >>> > setings on the effected server and for sure on
>> server
>> >#2
>> >>> > (where the P.O.S. application had been
installed). I
>> >had
>> >>> > to change the default policy from the #2 server to
>> the
>> >>> > domain from within the drop-down list box at the
top
>> >of
>> >>> > the window. Would changes made on a sever that is
>> >being
>> >>> > replicated to, replicate back to the DC?
>> >>> >
>> >>> > I'm at my wits end on this. Any other suggestions
>> >would be
>> >>> > greatly appreciated.
>> >>> >
>> >>> > Dave
>> >>> >>-----Original Message-----
>> >>> >>Dave
>> >>> >>
>> >>> >>If your saying you cannot logon to anything in the
>> >domain
>> >>> > that is another
>> >>> >>story with a whole lot of different questions
>> attached
>> >>> > you state Server in
>> >>> >>the subject but
>> >>> >>is this server a DC or Member server, is it the
>> only
>> >DC,
>> >>> > what group policy
>> >>> >>was changed, what changes were made to that policy
>> >>> >>etc etc.....
>> >>> >>
>> >>> >>You will have to say if this is the case and the
>> >>> > questions will start from
>> >>> >>there.
>> >>> >>
>> >>> >>else I am assuming that your talking 1 server
>> affected
>> >>> > under a GPO change
>> >>> >>and the SeInteractiveLoginRight has been removed
from
>> >>> > some group such as
>> >>> >>Administrators or Everyone (quite common that's
why
>> >Joe
>> >>> > did the tool) and
>> >>> >>you have workstation access with network access or
>> >>> > another server to login
>> >>> >>to.
>> >>> >>
>> >>> >>If this is the case then you just point the exe at
>> the
>> >>> > problem machine and
>> >>> >>input the details.
>> >>> >>(Hint Try a local admin account on a machine if
the
>> >>> > domain account cannot
>> >>> >>login, then run the cmd prompt using "run as" and
>> >input
>> >>> > your domain account
>> >>> >>details)
>> >>> >>(Hint 2 is it a server in remote admin mode then
try
>> >TS
>> >>> > connection to the
>> >>> >>server and login that way, if you normally TS on
for
>> >>> > access then try the
>> >>> >>console.)
>> >>> >>
>> >>> >>So say server 1 is the problem in domain 1 for
>> admin1
>> >and
>> >>> > he gets the error
>> >>> >>trying to logon
>> >>> >>open a command prompt on a workstation on the
domain
>> >that
>> >>> > has network access
>> >>> >>SeInteractiveLogonRight domain1\admin1 server1
>> >>> >>
>> >>> >>
>> >>> >>You can do the same with NTRights.exe as well from
>> the
>> >>> > resource kit except
>> >>> >>this has access to other settings.
>> >>> >>
>> >>> >>Help details from the Exe
>> >>> >>SeInteractiveLogonRight V00.10.00cpp
joe@joeware.net
>> >>> > September 2001
>> >>> >>
>> >>> >> Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\]
>> >Account>
>> >>> > [TargetMachine]
>> >>> >> Will set SeInteractiveLogonRight for
account
>> >on
>> >>> > targetmachine
>> >>> >> Will clear SeDenyInteractiveLogonRight for
>> >>> > account on targetmachine
>> >>> >>
>> >>> >> Will remove Everyone well known group from
>> >>> >>SeDenyInteractiveLogonRight on targetmachine
>> >>> >>
>> >>> >> Example: sEINTERACTIVELOGONRIGHT
>> >>> > joehome\$jricha34 pro2
>> >>> >>
>> >>> >>
>> >>> >>If this is not the case then post back with some
>> >specific
>> >>> > details on the
>> >>> >>situation, the lists are good but my crystal ball
is
>> >on
>> >>> > the blink at the
>> >>> >>moment with a hardware error ;-)
>> >>> >>
>> >>> >>hth
>> >>> >>Steve
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>Code based off of MSDN Library code LSAPRIV
>> >>> >>"Dave W" <anonymous@discussions.microsoft.com>
wrote
>> >in
>> >>> > message
>> >>> >>news:395801c4a569$5f36ea00$a301280a@phx.gbl...
>> >>> >>> Thanks, but how do I "use" it? It's a little exe
>> >that
>> >>> >>> apparently must be run in a windows environment.
>> If
>> >I
>> >>> >>> can't logon, how do I do that?
>> >>> >>>
>> >>> >>> Dave
>> >>> >>> >-----Original Message-----
>> >>> >>> >Go here
>> >>> >>> >http://www.joeware.net/win32/index.html
>> >>> >>> >download the SeInteractiveLogonRight from the
>> >win32 c++
>> >>> >>> tools page have a
>> >>> >>> >read then run it and your good to go
>> >>> >>> >
>> >>> >>> >rgds
>> >>> >>> >Steve
>> >>> >>> >
>> >>> >>> >
>> >>> >>> >
>> >>> >>> >"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote
in
>> >>> > message
>> >>> >>> >news:o jRUVVMpEHA.744@TK2MSFTNGP10.phx.gbl...
>> >>> >>> >> Restart the computer into DS restore mode.
Try
>> to
>> >>> >>> change local GPO, or try
>> >>> >>> >> to change it from another computer.
>> >>> >>> >>
>> >>> >>> >> --
>> >>> >>> >> Regards
>> >>> >>> >> Christoffer Andersson
>> >>> >>> >> Microsoft MVP - Directory Services
>> >>> >>> >>
>> >>> >>> >> No email replies please - reply in the
newsgroup
>> >>> >>> >> ---------------------------------------------
---
>> >>> >>> >> http://www.chrisse.se - Active Directory Tips
>> >>> >>> >>
>> >>> >>> >> "Dave W"
<anonymous@discussions.microsoft.com>
>> >skrev
>> >>> > i
>> >>> >>> meddelandet
>> >>> >>> >> news:2f7e01c4a4bc$03ecbd30
$a301280a@phx.gbl...
>> >>> >>> >> > Some changes were made to group policy
>> several
>> >days
>> >>> >>> ago
>> >>> >>> >> > and something musta got screwed up because
I
>> >cannot
>> >>> >>> log
>> >>> >>> >> > back in now that I have logged out. I get
the
>> >>> >>> following
>> >>> >>> >> > message after the failed login: "the local
>> >policy
>> >>> > of
>> >>> >>> this
>> >>> >>> >> > system does not permit you to logon
>> >interactively"
>> >>> >>> >> > Is there anything that I can do?
>> >>> >>> >>
>> >>> >>> >>
>> >>> >>> >
>> >>> >>> >
>> >>> >>> >.
>> >>> >>> >
>> >>> >>
>> >>> >>
>> >>> >>.
>> >>> >>
>> >>>
>> >>>
>> >>
>> >>
>> >>.
>> >>
>> >.
>> >
>
>
>.
>
Anonymous
September 30, 2004 12:27:55 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Dave W" <anonymous@discussions.microsoft.com> said

> A new problem has arisen, I believe because I ran that
> little app from the command prompt, I cannot start my
> exchange system manager now. I get the following
> error: "Facility Win32, I.D. No. 8007203b Exchange System
> Manager" I looked it up on the MS KB and it said to restrt
> the Kerberos service in the services. I did, and it didn't
> help. I think I wiped out some sort of authentication for
> the exchange services by runing it. Is there some way to
> revert, or undo, what I did?
>

Your exchange service is probably authenticating using the Administrator
account, for which you have changed the password.
Go into your services in computer management and tell the exchange service to
use the new password.

--
Andy.
Anonymous
September 30, 2004 1:10:05 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I couldn't get into the AD Users & computers or AD sites &
services and domains & trusts etc, etc. Fortunately, I was
able to connect to those through servver #2 and I
reconnected to the primary server through the AD domains &
trusts and redid the Operations master and that seemed to
solve the problem. WHEW!!!! Thanks and I hope that's all.

Dave
>-----Original Message-----
>"Dave W" <anonymous@discussions.microsoft.com> said
>
>> A new problem has arisen, I believe because I ran that
>> little app from the command prompt, I cannot start my
>> exchange system manager now. I get the following
>> error: "Facility Win32, I.D. No. 8007203b Exchange
System
>> Manager" I looked it up on the MS KB and it said to
restrt
>> the Kerberos service in the services. I did, and it
didn't
>> help. I think I wiped out some sort of authentication
for
>> the exchange services by runing it. Is there some way
to
>> revert, or undo, what I did?
>>
>
>Your exchange service is probably authenticating using
the Administrator
>account, for which you have changed the password.
>Go into your services in computer management and tell the
exchange service to
>use the new password.
>
>--
>Andy.
>.
>
!