Urgent Policy question

Archived from groups: microsoft.public.win2000.group_policy (More info?)

What policies did you change? Normally when this happens you should still be
able to logon to a domain controller locally unless you changed both Domain
and Domain Controller Security Policy.

Anyhow see the link below on how to edit the GptTmpl.inf file in the sysvol
share to restore default user rights for Domain Controller Security Policy.
You could do such be either putting the hard drive of the domain controller
into another computer to access it, use a parallel installation of the
operating system, or best option would be to try and access the sysvol share
remotely. You could do such by logging onto a non domain computer to try
such either with a user account that has the same credentials as a domain
administrator or entering domain administrator credentials when you try to
access the sysvol share. This assumes that the user right for access this
computer from the network user right is still granted for the domain
administrator account. Always be very careful with deny user rights as they
override allow user rights and administrators are members of the users and
everyone groups. --- Steve

http://support.microsoft.com/kb/267553/

"Ackztoul" <Ackztoul@discussions.microsoft.com> wrote in message
news:C2B5A731-F0CE-4EBC-8350-742E8D87D053@microsoft.com...
> Fortunately this is in a lab setting but i still am in need of dire help.
> I was changing policies and wasn't paying too close attention and i must
> have changed the policy for logging in locally because no PC can log in to
> the domain, and i can't get into the DC (even with the Admin account). How
> can i get into the PC to change this policy setting. i am getting the
> message
> "The local policy of this system does not allow you to logon
> interactively"
> from any PC on the domain. The only way for other workstations or member
> servers (2) to log in is locally.
> Please help, i do not want to rebuild this DC! i have a lot of time and
> work
> into this. i made a stupid mistake and am now paying for it.
>
> Thanks,
>
>

Archived from groups: microsoft.public.win2000.group_policy (More info?)

OK. Well the solutions I listed should work for you if you can not logon to
a domain controller directly. --- Steve


"Ackztoul" <Ackztoul@discussions.microsoft.com> wrote in message
news:0E1021C0-C699-4675-AA6F-4D996EE160E7@microsoft.com...
> Yea, i accidently put it in the Deny logon on locally, not paying
> attention.
> i put a group in there that basically has all my users in!! STUPID....
>
> Thanks,
>
> "Steven L Umbach" wrote:
>
>> What policies did you change? Normally when this happens you should still
>> be
>> able to logon to a domain controller locally unless you changed both
>> Domain
>> and Domain Controller Security Policy.
>>
>> Anyhow see the link below on how to edit the GptTmpl.inf file in the
>> sysvol
>> share to restore default user rights for Domain Controller Security
>> Policy.
>> You could do such be either putting the hard drive of the domain
>> controller
>> into another computer to access it, use a parallel installation of the
>> operating system, or best option would be to try and access the sysvol
>> share
>> remotely. You could do such by logging onto a non domain computer to try
>> such either with a user account that has the same credentials as a domain
>> administrator or entering domain administrator credentials when you try
>> to
>> access the sysvol share. This assumes that the user right for access this
>> computer from the network user right is still granted for the domain
>> administrator account. Always be very careful with deny user rights as
>> they
>> override allow user rights and administrators are members of the users
>> and
>> everyone groups. --- Steve
>>
>> http://support.microsoft.com/kb/267553/
>>
>> "Ackztoul" <Ackztoul@discussions.microsoft.com> wrote in message
>> news:C2B5A731-F0CE-4EBC-8350-742E8D87D053@microsoft.com...
>> > Fortunately this is in a lab setting but i still am in need of dire
>> > help.
>> > I was changing policies and wasn't paying too close attention and i
>> > must
>> > have changed the policy for logging in locally because no PC can log in
>> > to
>> > the domain, and i can't get into the DC (even with the Admin account).
>> > How
>> > can i get into the PC to change this policy setting. i am getting the
>> > message
>> > "The local policy of this system does not allow you to logon
>> > interactively"
>> > from any PC on the domain. The only way for other workstations or
>> > member
>> > servers (2) to log in is locally.
>> > Please help, i do not want to rebuild this DC! i have a lot of time and
>> > work
>> > into this. i made a stupid mistake and am now paying for it.
>> >
>> > Thanks,
>> >
>> >
>>
>>
>>