Can't logon to windows2000

Archived from groups: microsoft.public.win2000.security (More info?)

I use my PC locally only so last night I was trying to
bypass the Windows logon screen. I thought I had made the
proper adjustments within "Local Security Policy"
and "Users & Passwords" to allow for a straight boot up
without the popup Windows logon box.

This morning, when I booted up my PC, the Windows logon
box still comes up so i went ahead and hit "OK" like i had
always dine previously using Administrator as my ID. Then
I got a popup message stating "The local policy of this
system does not permit you to logon interactively."

I hit OK and the above message keeps coming up. How can I
go back and reset the logon settings the way they were?

TY JWC062404
10 answers Last reply
More about logon windows2000
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    See the tips in the link below. If you do not have a another computer on the network
    you are going to need to try and replace the secedit.sdb file on your computer some
    other way such as by putting your hard drive in another computer as a slave/secondary
    drive or doing a parallel install of the operating system [best done into another
    partition] in order to do the repair being very careful NOT to install over your
    existing installation and do NOT format your drive, which you can delete when you are
    done. Specifically what happened is either you removed groups from the logon
    locally user right or added a group to the deny logon locally user right [more
    likely]. --- Steve

    http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    http://support.microsoft.com/default.aspx?scid=kb;en-us;266465

    "JWC062604" <anonymous@discussions.microsoft.com> wrote in message
    news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    > I use my PC locally only so last night I was trying to
    > bypass the Windows logon screen. I thought I had made the
    > proper adjustments within "Local Security Policy"
    > and "Users & Passwords" to allow for a straight boot up
    > without the popup Windows logon box.
    >
    > This morning, when I booted up my PC, the Windows logon
    > box still comes up so i went ahead and hit "OK" like i had
    > always dine previously using Administrator as my ID. Then
    > I got a popup message stating "The local policy of this
    > system does not permit you to logon interactively."
    >
    > I hit OK and the above message keeps coming up. How can I
    > go back and reset the logon settings the way they were?
    >
    > TY JWC062404
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve:

    Man, I'm not EVEN going to try that one by myself. I'm
    going to take my PC to a professional to do it. Thank you
    very much for the advice. I will print it out and look for
    a pro to perform these tasks.

    JWC

    >-----Original Message-----
    >See the tips in the link below. If you do not have a
    another computer on the network
    >you are going to need to try and replace the secedit.sdb
    file on your computer some
    >other way such as by putting your hard drive in another
    computer as a slave/secondary
    >drive or doing a parallel install of the operating system
    [best done into another
    >partition] in order to do the repair being very careful
    NOT to install over your
    >existing installation and do NOT format your drive, which
    you can delete when you are
    >done. Specifically what happened is either you removed
    groups from the logon
    >locally user right or added a group to the deny logon
    locally user right [more
    >likely]. --- Steve
    >
    >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >http://support.microsoft.com/default.aspx?scid=kb;en-
    us;266465
    >
    >"JWC062604" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    >> I use my PC locally only so last night I was trying to
    >> bypass the Windows logon screen. I thought I had made
    the
    >> proper adjustments within "Local Security Policy"
    >> and "Users & Passwords" to allow for a straight boot up
    >> without the popup Windows logon box.
    >>
    >> This morning, when I booted up my PC, the Windows logon
    >> box still comes up so i went ahead and hit "OK" like i
    had
    >> always dine previously using Administrator as my ID.
    Then
    >> I got a popup message stating "The local policy of this
    >> system does not permit you to logon interactively."
    >>
    >> I hit OK and the above message keeps coming up. How can
    I
    >> go back and reset the logon settings the way they were?
    >>
    >> TY JWC062404
    >>
    >>
    >>
    >>
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve:

    I actually do have another PC on my (2 PC) network. This
    is how I am communicating now. My purpose for the network
    was so both PC's could share the cable modem to the net.
    That's the only reason that I have the network.

    Are there other instructions possible with a PC on the
    network? Or how might a professional repair this problem?
    I would take the machine to a firm that only dealt with
    larger, corporate clients.

    Please respond.
    JWC062604

    >-----Original Message-----
    >See the tips in the link below. If you do not have a
    another computer on the network
    >you are going to need to try and replace the secedit.sdb
    file on your computer some
    >other way such as by putting your hard drive in another
    computer as a slave/secondary
    >drive or doing a parallel install of the operating system
    [best done into another
    >partition] in order to do the repair being very careful
    NOT to install over your
    >existing installation and do NOT format your drive, which
    you can delete when you are
    >done. Specifically what happened is either you removed
    groups from the logon
    >locally user right or added a group to the deny logon
    locally user right [more
    >likely]. --- Steve
    >
    >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >http://support.microsoft.com/default.aspx?scid=kb;en-
    us;266465
    >
    >"JWC062604" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    >> I use my PC locally only so last night I was trying to
    >> bypass the Windows logon screen. I thought I had made
    the
    >> proper adjustments within "Local Security Policy"
    >> and "Users & Passwords" to allow for a straight boot up
    >> without the popup Windows logon box.
    >>
    >> This morning, when I booted up my PC, the Windows logon
    >> box still comes up so i went ahead and hit "OK" like i
    had
    >> always dine previously using Administrator as my ID.
    Then
    >> I got a popup message stating "The local policy of this
    >> system does not permit you to logon interactively."
    >>
    >> I hit OK and the above message keeps coming up. How can
    I
    >> go back and reset the logon settings the way they were?
    >>
    >> TY JWC062404
    >>
    >>
    >>
    >>
    >
    >
    >.
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    The link I showed shows exactly how to do that. Here are the basic steps.
    Substitute your actual computer name for the locked out computer where I
    show "computername". If you don't know the computers actual name, you should
    see it in My Network Places on the good computer. Hopefully your working
    computer is a Windows 2000 Pro computer or this will not work and stop after
    verifiyng or not that you can access the C$ folder on the locked out
    computer as described in the second sentence below. If you can at least
    access the c$ folder there may be another option but I need to know the
    operating system of your good computer. If you can not access the c$ drive
    you will need to try to take it to someone who can slave the drive in
    another computer running Windows 2000 or XP to try and repair it or
    reinstall the operating system which can be done without destroying your
    data but will require that you reinstall all of your applications, service
    pack, and critical updates. Note that if you have any EFS encrypted files,
    that a reinstall that is not an "upgrade" install will prevent you from ever
    accessing them again unless you backed up your EFS privaye keys.

    http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm

    First logon to your other computer with a logon name and password that
    exists on the locked out computer that is an administrator on that computer.
    Create the account on your "good" computer if need be.

    In the run box type \\computername\c$ and then enter. If it brings up the
    administrative share on the other computer which should show the whole drive
    you are in. I am assumming c drive is where your operating system is at and
    if it is not use the correct drive letter.

    Go to the \winnt\security\database folder. First open the winnt folder and
    then the others in the order shown. Folders are in alphabetical order within
    a folder.This is called the "path". You should see a file called secedit.sdb
    in the window to the right. Right click that file and select rename. Rename
    it seceditold.sdm and hit enter.

    Minimize the Explorer Window by selecting the minimize icon in the top right
    hand corner. Now on your "good" computer go to the same folder path and find
    the copy of secedit.sdb on it. Right click that file and select copy. Now
    maximize the Explorer Window on your locked out computer and put your
    pointer in the window to the right where you now have a file called
    seceditold.sdb. Right click your mouse and select paste and you should now
    see a copy of secedit.sdb from the other computer that you just copied.
    Close your Explorer Windows and reboot the locked out computer to see if it
    helps and let me know. --- Steve

    "JWC062604" <anonymous@discussions.microsoft.com> wrote in message
    news:2212e01c45bc1$8bc86b80$a001280a@phx.gbl...
    > Steve:
    >
    > I actually do have another PC on my (2 PC) network. This
    > is how I am communicating now. My purpose for the network
    > was so both PC's could share the cable modem to the net.
    > That's the only reason that I have the network.
    >
    > Are there other instructions possible with a PC on the
    > network? Or how might a professional repair this problem?
    > I would take the machine to a firm that only dealt with
    > larger, corporate clients.
    >
    > Please respond.
    > JWC062604
    >
    > >-----Original Message-----
    > >See the tips in the link below. If you do not have a
    > another computer on the network
    > >you are going to need to try and replace the secedit.sdb
    > file on your computer some
    > >other way such as by putting your hard drive in another
    > computer as a slave/secondary
    > >drive or doing a parallel install of the operating system
    > [best done into another
    > >partition] in order to do the repair being very careful
    > NOT to install over your
    > >existing installation and do NOT format your drive, which
    > you can delete when you are
    > >done. Specifically what happened is either you removed
    > groups from the logon
    > >locally user right or added a group to the deny logon
    > locally user right [more
    > >likely]. --- Steve
    > >
    > >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    > >http://support.microsoft.com/default.aspx?scid=kb;en-
    > us;266465
    > >
    > >"JWC062604" <anonymous@discussions.microsoft.com> wrote
    > in message
    > >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    > >> I use my PC locally only so last night I was trying to
    > >> bypass the Windows logon screen. I thought I had made
    > the
    > >> proper adjustments within "Local Security Policy"
    > >> and "Users & Passwords" to allow for a straight boot up
    > >> without the popup Windows logon box.
    > >>
    > >> This morning, when I booted up my PC, the Windows logon
    > >> box still comes up so i went ahead and hit "OK" like i
    > had
    > >> always dine previously using Administrator as my ID.
    > Then
    > >> I got a popup message stating "The local policy of this
    > >> system does not permit you to logon interactively."
    > >>
    > >> I hit OK and the above message keeps coming up. How can
    > I
    > >> go back and reset the logon settings the way they were?
    > >>
    > >> TY JWC062404
    > >>
    > >>
    > >>
    > >>
    > >
    > >
    > >.
    > >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks, Steve. You've been a life saver.

    JWC062604

    >-----Original Message-----
    >The link I showed shows exactly how to do that. Here are
    the basic steps.
    >Substitute your actual computer name for the locked out
    computer where I
    >show "computername". If you don't know the computers
    actual name, you should
    >see it in My Network Places on the good computer.
    Hopefully your working
    >computer is a Windows 2000 Pro computer or this will not
    work and stop after
    >verifiyng or not that you can access the C$ folder on the
    locked out
    >computer as described in the second sentence below. If
    you can at least
    >access the c$ folder there may be another option but I
    need to know the
    >operating system of your good computer. If you can not
    access the c$ drive
    >you will need to try to take it to someone who can slave
    the drive in
    >another computer running Windows 2000 or XP to try and
    repair it or
    >reinstall the operating system which can be done without
    destroying your
    >data but will require that you reinstall all of your
    applications, service
    >pack, and critical updates. Note that if you have any EFS
    encrypted files,
    >that a reinstall that is not an "upgrade" install will
    prevent you from ever
    >accessing them again unless you backed up your EFS
    privaye keys.
    >
    >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >
    >First logon to your other computer with a logon name and
    password that
    >exists on the locked out computer that is an
    administrator on that computer.
    >Create the account on your "good" computer if need be.
    >
    >In the run box type \\computername\c$ and then enter. If
    it brings up the
    >administrative share on the other computer which should
    show the whole drive
    >you are in. I am assumming c drive is where your
    operating system is at and
    >if it is not use the correct drive letter.
    >
    >Go to the \winnt\security\database folder. First open the
    winnt folder and
    >then the others in the order shown. Folders are in
    alphabetical order within
    >a folder.This is called the "path". You should see a file
    called secedit.sdb
    >in the window to the right. Right click that file and
    select rename. Rename
    >it seceditold.sdm and hit enter.
    >
    >Minimize the Explorer Window by selecting the minimize
    icon in the top right
    >hand corner. Now on your "good" computer go to the same
    folder path and find
    >the copy of secedit.sdb on it. Right click that file and
    select copy. Now
    >maximize the Explorer Window on your locked out computer
    and put your
    >pointer in the window to the right where you now have a
    file called
    >seceditold.sdb. Right click your mouse and select paste
    and you should now
    >see a copy of secedit.sdb from the other computer that
    you just copied.
    >Close your Explorer Windows and reboot the locked out
    computer to see if it
    >helps and let me know. --- Steve
    >
    >"JWC062604" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:2212e01c45bc1$8bc86b80$a001280a@phx.gbl...
    >> Steve:
    >>
    >> I actually do have another PC on my (2 PC) network. This
    >> is how I am communicating now. My purpose for the
    network
    >> was so both PC's could share the cable modem to the net.
    >> That's the only reason that I have the network.
    >>
    >> Are there other instructions possible with a PC on the
    >> network? Or how might a professional repair this
    problem?
    >> I would take the machine to a firm that only dealt with
    >> larger, corporate clients.
    >>
    >> Please respond.
    >> JWC062604
    >>
    >> >-----Original Message-----
    >> >See the tips in the link below. If you do not have a
    >> another computer on the network
    >> >you are going to need to try and replace the
    secedit.sdb
    >> file on your computer some
    >> >other way such as by putting your hard drive in another
    >> computer as a slave/secondary
    >> >drive or doing a parallel install of the operating
    system
    >> [best done into another
    >> >partition] in order to do the repair being very careful
    >> NOT to install over your
    >> >existing installation and do NOT format your drive,
    which
    >> you can delete when you are
    >> >done. Specifically what happened is either you removed
    >> groups from the logon
    >> >locally user right or added a group to the deny logon
    >> locally user right [more
    >> >likely]. --- Steve
    >> >
    >> >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >> >http://support.microsoft.com/default.aspx?scid=kb;en-
    >> us;266465
    >> >
    >> >"JWC062604" <anonymous@discussions.microsoft.com> wrote
    >> in message
    >> >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    >> >> I use my PC locally only so last night I was trying
    to
    >> >> bypass the Windows logon screen. I thought I had made
    >> the
    >> >> proper adjustments within "Local Security Policy"
    >> >> and "Users & Passwords" to allow for a straight boot
    up
    >> >> without the popup Windows logon box.
    >> >>
    >> >> This morning, when I booted up my PC, the Windows
    logon
    >> >> box still comes up so i went ahead and hit "OK" like
    i
    >> had
    >> >> always dine previously using Administrator as my ID.
    >> Then
    >> >> I got a popup message stating "The local policy of
    this
    >> >> system does not permit you to logon interactively."
    >> >>
    >> >> I hit OK and the above message keeps coming up. How
    can
    >> I
    >> >> go back and reset the logon settings the way they
    were?
    >> >>
    >> >> TY JWC062404
    >> >>
    >> >>
    >> >>
    >> >>
    >> >
    >> >
    >> >.
    >> >
    >
    >
    >.
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Did you find an answer to your problem? I am having the
    same problem. Please let me know if you found a way to
    resolve this. Thanks.
    >-----Original Message-----
    >I use my PC locally only so last night I was trying to
    >bypass the Windows logon screen. I thought I had made the
    >proper adjustments within "Local Security Policy"
    >and "Users & Passwords" to allow for a straight boot up
    >without the popup Windows logon box.
    >
    >This morning, when I booted up my PC, the Windows logon
    >box still comes up so i went ahead and hit "OK" like i
    had
    >always dine previously using Administrator as my ID. Then
    >I got a popup message stating "The local policy of this
    >system does not permit you to logon interactively."
    >
    >I hit OK and the above message keeps coming up. How can I
    >go back and reset the logon settings the way they were?
    >
    >TY JWC062404
    >
    >
    >
    >
    >.
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve:

    It did not work.

    I was able to access my "locked" PC's C Drive by using
    the "\\computername\c$".

    Important points I want feedback on:

    1) My working PC originally ran on Win 98 and was upgraded
    to Win 2000. It was not a clean install. I was an upgrade.
    Also my 2nd PC runs on a PII 233. My locked PC is a 800mh
    celeron.

    2) What if I added a 3rd PC running on a clean install of
    Win2000 to my network and added it to my workgroup. Then I
    could copy it's "secedit.sdb" to it. Would that help?

    3) When I copy/pasted the "secedit.sdb" to the locked PC,
    I did not delete the now name changed "seceditold.sdb". I
    pasted my 2nd PC's copied secedit.sdb next to it in the
    database folder. So, in the end, the database folder on my
    locked PC had the new/copied "secedit.sdb" file and the
    name changed "seceditold.sdb" file still for the fix it
    boot up. (Did that cause a problem?)

    4) I noticed on JSI FAQ #3361 that it says to rename
    the "secedit.sdb" file to "secedit.old_sdb". That is
    different from your suggestion. You said to rename the
    file "seceditold.sdb". Does that make a difference?

    5) Looking at JSI FAQ #3361 that it says the cause
    was "Local Security Policy has been set to deny logon
    right to everyone." I do not recall "setting a deny" at
    all. I did delete some "user groups" that I didn't think I
    needed. My guess is that the problem is a missing group
    not a deny to everyone. I recall setting a lot of the
    security settings to allow for everyone. i do not recall
    one time where I set security to deny everyone.

    6) Over my many attempts to boot up the locked PC, I tried
    Safe Mode. I watched the as the black screen scrolled
    through all of the driver names. Eventually the scrolling
    ends and the PC sits for quite a while. Could it be stuck
    trying to load a bad driver? Can I try the "return to the
    last good configuration" route?

    Once I was able to move throughout my locked PC's file
    structure using "\\computername\c$", I feel pretty
    optimistic that this can now be fixed throught the network
    somehow.

    At very worst, I can at least copy everything off of the
    PC to a 3rd PC and save it there or burn a CD.
    Unfortunately, my existing 2nd PC has only a 4 gig
    harddrive so it won't work. It is far too small. Plus it
    only had about 225 meg left. It is far too small to
    attempt a move.

    I assume it would be possible to add a third (& larger HD)
    PC to my 4 port router and move the files there. At least
    I now access to my Outlook email contact files and
    email .pst files with info I badly need.

    Also, I had copied installation CD's directly to my locked
    PC's HD for save keeping in case something happened to the
    CD's themselves. At least now I can move these files to a
    3rd PC.


    >-----Original Message-----
    >Thanks, Steve. You've been a life saver.
    >
    >JWC062604
    >
    >>-----Original Message-----
    >>The link I showed shows exactly how to do that. Here are
    >the basic steps.
    >>Substitute your actual computer name for the locked out
    >computer where I
    >>show "computername". If you don't know the computers
    >actual name, you should
    >>see it in My Network Places on the good computer.
    >Hopefully your working
    >>computer is a Windows 2000 Pro computer or this will not
    >work and stop after
    >>verifiyng or not that you can access the C$ folder on
    the
    >locked out
    >>computer as described in the second sentence below. If
    >you can at least
    >>access the c$ folder there may be another option but I
    >need to know the
    >>operating system of your good computer. If you can not
    >access the c$ drive
    >>you will need to try to take it to someone who can slave
    >the drive in
    >>another computer running Windows 2000 or XP to try and
    >repair it or
    >>reinstall the operating system which can be done without
    >destroying your
    >>data but will require that you reinstall all of your
    >applications, service
    >>pack, and critical updates. Note that if you have any
    EFS
    >encrypted files,
    >>that a reinstall that is not an "upgrade" install will
    >prevent you from ever
    >>accessing them again unless you backed up your EFS
    >privaye keys.
    >>
    >>http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >>
    >>First logon to your other computer with a logon name and
    >password that
    >>exists on the locked out computer that is an
    >administrator on that computer.
    >>Create the account on your "good" computer if need be.
    >>
    >>In the run box type \\computername\c$ and then enter. If
    >it brings up the
    >>administrative share on the other computer which should
    >show the whole drive
    >>you are in. I am assumming c drive is where your
    >operating system is at and
    >>if it is not use the correct drive letter.
    >>
    >>Go to the \winnt\security\database folder. First open
    the
    >winnt folder and
    >>then the others in the order shown. Folders are in
    >alphabetical order within
    >>a folder.This is called the "path". You should see a
    file
    >called secedit.sdb
    >>in the window to the right. Right click that file and
    >select rename. Rename
    >>it seceditold.sdm and hit enter.
    >>
    >>Minimize the Explorer Window by selecting the minimize
    >icon in the top right
    >>hand corner. Now on your "good" computer go to the same
    >folder path and find
    >>the copy of secedit.sdb on it. Right click that file and
    >select copy. Now
    >>maximize the Explorer Window on your locked out computer
    >and put your
    >>pointer in the window to the right where you now have a
    >file called
    >>seceditold.sdb. Right click your mouse and select paste
    >and you should now
    >>see a copy of secedit.sdb from the other computer that
    >you just copied.
    >>Close your Explorer Windows and reboot the locked out
    >computer to see if it
    >>helps and let me know. --- Steve
    >>
    >>"JWC062604" <anonymous@discussions.microsoft.com> wrote
    >in message
    >>news:2212e01c45bc1$8bc86b80$a001280a@phx.gbl...
    >>> Steve:
    >>>
    >>> I actually do have another PC on my (2 PC) network.
    This
    >>> is how I am communicating now. My purpose for the
    >network
    >>> was so both PC's could share the cable modem to the
    net.
    >>> That's the only reason that I have the network.
    >>>
    >>> Are there other instructions possible with a PC on the
    >>> network? Or how might a professional repair this
    >problem?
    >>> I would take the machine to a firm that only dealt with
    >>> larger, corporate clients.
    >>>
    >>> Please respond.
    >>> JWC062604
    >>>
    >>> >-----Original Message-----
    >>> >See the tips in the link below. If you do not have a
    >>> another computer on the network
    >>> >you are going to need to try and replace the
    >secedit.sdb
    >>> file on your computer some
    >>> >other way such as by putting your hard drive in
    another
    >>> computer as a slave/secondary
    >>> >drive or doing a parallel install of the operating
    >system
    >>> [best done into another
    >>> >partition] in order to do the repair being very
    careful
    >>> NOT to install over your
    >>> >existing installation and do NOT format your drive,
    >which
    >>> you can delete when you are
    >>> >done. Specifically what happened is either you
    removed
    >>> groups from the logon
    >>> >locally user right or added a group to the deny logon
    >>> locally user right [more
    >>> >likely]. --- Steve
    >>> >
    >>> >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >>> >http://support.microsoft.com/default.aspx?scid=kb;en-
    >>> us;266465
    >>> >
    >>> >"JWC062604" <anonymous@discussions.microsoft.com>
    wrote
    >>> in message
    >>> >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    >>> >> I use my PC locally only so last night I was trying
    >to
    >>> >> bypass the Windows logon screen. I thought I had
    made
    >>> the
    >>> >> proper adjustments within "Local Security Policy"
    >>> >> and "Users & Passwords" to allow for a straight
    boot
    >up
    >>> >> without the popup Windows logon box.
    >>> >>
    >>> >> This morning, when I booted up my PC, the Windows
    >logon
    >>> >> box still comes up so i went ahead and hit "OK"
    like
    >i
    >>> had
    >>> >> always dine previously using Administrator as my ID.
    >>> Then
    >>> >> I got a popup message stating "The local policy of
    >this
    >>> >> system does not permit you to logon interactively."
    >>> >>
    >>> >> I hit OK and the above message keeps coming up. How
    >can
    >>> I
    >>> >> go back and reset the logon settings the way they
    >were?
    >>> >>
    >>> >> TY JWC062404
    >>> >>
    >>> >>
    >>> >>
    >>> >>
    >>> >
    >>> >
    >>> >.
    >>> >
    >>
    >>
    >>.
    >>
    >.
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Hmm. There is no guarantee that method will work all the time. I don't
    believe it will make any difference about renaming the old file. Try
    removing the old file to another folder and leaving the new secedit.sdb file
    alone in that folder. It is always best practice to rename a critical file
    in case something goes really bad or you need it later for configuration
    purposes. Let's go to plan B.

    First go to http://www.petri.co.il/download_free_reskit_tools.htm
    and download Ntrights and unzip it and copy it to your \winnt\system32
    folder on your good computer. Read the link below on ntrights to remove deny
    logon rights as an example of how it is used.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;276590

    Enter this command on your good computer [substituting real computer name]
    while logged on as an administrator on the locked out computer to give users
    group the right to logon interactively.

    ntrights -m \\computername -u users +r SeInteractiveLogonRight . Type or
    copy it exactly as shown as the right is case sensitive.

    I noticed that Petri link to ntrights is currently down. You can also get
    ntrights from a package of tools in the link below. You will probably have
    to install all of them and then just move ntrights to your \winnt\system32
    folder. Delete the rest of them as they are for W2003 Server but hopefully
    ntrights will work.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-
    96ee-b18c4790cffd&displaylang=en
    http://tinyurl.com/a32f -- same link as above in case of wrap

    Plan C. ******

    Go to SysInternals and download Psexec, unzip it and download it into your
    \winnsystem32 folder.

    http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

    Enter the command psexec \\computername cmd.exe [again using real
    computername]

    You should see a command prompt on your screen for the locked out computer.
    If you do, then enter the command using secedit in the KB link below and
    append /areas user_rights after it [as shown under link] and hit enter. You
    can copy and paste the command and then add /areas user_rights after it. If
    you goof up and it executes without the /areas user_rights, don't worry
    about it. It will just take a lot longer and maybe change some security
    policy settings you modified from default if any.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

    secedit /configure /cfg %windir%\repair\secsetup.inf /db
    secsetup.sdb /verbose /areas user_rights

    Hoefully one of the two methods will help. --- Steve
    ..
    "JWC062604" <anonymous@discussions.microsoft.com> wrote in message
    news:2250d01c45ca2$3e7a8250$a001280a@phx.gbl...
    > Steve:
    >
    > It did not work.
    >
    > I was able to access my "locked" PC's C Drive by using
    > the "\\computername\c$".
    >
    > Important points I want feedback on:
    >
    > 1) My working PC originally ran on Win 98 and was upgraded
    > to Win 2000. It was not a clean install. I was an upgrade.
    > Also my 2nd PC runs on a PII 233. My locked PC is a 800mh
    > celeron.
    >
    > 2) What if I added a 3rd PC running on a clean install of
    > Win2000 to my network and added it to my workgroup. Then I
    > could copy it's "secedit.sdb" to it. Would that help?
    >
    > 3) When I copy/pasted the "secedit.sdb" to the locked PC,
    > I did not delete the now name changed "seceditold.sdb". I
    > pasted my 2nd PC's copied secedit.sdb next to it in the
    > database folder. So, in the end, the database folder on my
    > locked PC had the new/copied "secedit.sdb" file and the
    > name changed "seceditold.sdb" file still for the fix it
    > boot up. (Did that cause a problem?)
    >
    > 4) I noticed on JSI FAQ #3361 that it says to rename
    > the "secedit.sdb" file to "secedit.old_sdb". That is
    > different from your suggestion. You said to rename the
    > file "seceditold.sdb". Does that make a difference?
    >
    > 5) Looking at JSI FAQ #3361 that it says the cause
    > was "Local Security Policy has been set to deny logon
    > right to everyone." I do not recall "setting a deny" at
    > all. I did delete some "user groups" that I didn't think I
    > needed. My guess is that the problem is a missing group
    > not a deny to everyone. I recall setting a lot of the
    > security settings to allow for everyone. i do not recall
    > one time where I set security to deny everyone.
    >
    > 6) Over my many attempts to boot up the locked PC, I tried
    > Safe Mode. I watched the as the black screen scrolled
    > through all of the driver names. Eventually the scrolling
    > ends and the PC sits for quite a while. Could it be stuck
    > trying to load a bad driver? Can I try the "return to the
    > last good configuration" route?
    >
    > Once I was able to move throughout my locked PC's file
    > structure using "\\computername\c$", I feel pretty
    > optimistic that this can now be fixed throught the network
    > somehow.
    >
    > At very worst, I can at least copy everything off of the
    > PC to a 3rd PC and save it there or burn a CD.
    > Unfortunately, my existing 2nd PC has only a 4 gig
    > harddrive so it won't work. It is far too small. Plus it
    > only had about 225 meg left. It is far too small to
    > attempt a move.
    >
    > I assume it would be possible to add a third (& larger HD)
    > PC to my 4 port router and move the files there. At least
    > I now access to my Outlook email contact files and
    > email .pst files with info I badly need.
    >
    > Also, I had copied installation CD's directly to my locked
    > PC's HD for save keeping in case something happened to the
    > CD's themselves. At least now I can move these files to a
    > 3rd PC.
    >
    >
    > >-----Original Message-----
    > >Thanks, Steve. You've been a life saver.
    > >
    > >JWC062604
    > >
    > >>-----Original Message-----
    > >>The link I showed shows exactly how to do that. Here are
    > >the basic steps.
    > >>Substitute your actual computer name for the locked out
    > >computer where I
    > >>show "computername". If you don't know the computers
    > >actual name, you should
    > >>see it in My Network Places on the good computer.
    > >Hopefully your working
    > >>computer is a Windows 2000 Pro computer or this will not
    > >work and stop after
    > >>verifiyng or not that you can access the C$ folder on
    > the
    > >locked out
    > >>computer as described in the second sentence below. If
    > >you can at least
    > >>access the c$ folder there may be another option but I
    > >need to know the
    > >>operating system of your good computer. If you can not
    > >access the c$ drive
    > >>you will need to try to take it to someone who can slave
    > >the drive in
    > >>another computer running Windows 2000 or XP to try and
    > >repair it or
    > >>reinstall the operating system which can be done without
    > >destroying your
    > >>data but will require that you reinstall all of your
    > >applications, service
    > >>pack, and critical updates. Note that if you have any
    > EFS
    > >encrypted files,
    > >>that a reinstall that is not an "upgrade" install will
    > >prevent you from ever
    > >>accessing them again unless you backed up your EFS
    > >privaye keys.
    > >>
    > >>http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    > >>
    > >>First logon to your other computer with a logon name and
    > >password that
    > >>exists on the locked out computer that is an
    > >administrator on that computer.
    > >>Create the account on your "good" computer if need be.
    > >>
    > >>In the run box type \\computername\c$ and then enter. If
    > >it brings up the
    > >>administrative share on the other computer which should
    > >show the whole drive
    > >>you are in. I am assumming c drive is where your
    > >operating system is at and
    > >>if it is not use the correct drive letter.
    > >>
    > >>Go to the \winnt\security\database folder. First open
    > the
    > >winnt folder and
    > >>then the others in the order shown. Folders are in
    > >alphabetical order within
    > >>a folder.This is called the "path". You should see a
    > file
    > >called secedit.sdb
    > >>in the window to the right. Right click that file and
    > >select rename. Rename
    > >>it seceditold.sdm and hit enter.
    > >>
    > >>Minimize the Explorer Window by selecting the minimize
    > >icon in the top right
    > >>hand corner. Now on your "good" computer go to the same
    > >folder path and find
    > >>the copy of secedit.sdb on it. Right click that file and
    > >select copy. Now
    > >>maximize the Explorer Window on your locked out computer
    > >and put your
    > >>pointer in the window to the right where you now have a
    > >file called
    > >>seceditold.sdb. Right click your mouse and select paste
    > >and you should now
    > >>see a copy of secedit.sdb from the other computer that
    > >you just copied.
    > >>Close your Explorer Windows and reboot the locked out
    > >computer to see if it
    > >>helps and let me know. --- Steve
    > >>
    > >>"JWC062604" <anonymous@discussions.microsoft.com> wrote
    > >in message
    > >>news:2212e01c45bc1$8bc86b80$a001280a@phx.gbl...
    > >>> Steve:
    > >>>
    > >>> I actually do have another PC on my (2 PC) network.
    > This
    > >>> is how I am communicating now. My purpose for the
    > >network
    > >>> was so both PC's could share the cable modem to the
    > net.
    > >>> That's the only reason that I have the network.
    > >>>
    > >>> Are there other instructions possible with a PC on the
    > >>> network? Or how might a professional repair this
    > >problem?
    > >>> I would take the machine to a firm that only dealt with
    > >>> larger, corporate clients.
    > >>>
    > >>> Please respond.
    > >>> JWC062604
    > >>>
    > >>> >-----Original Message-----
    > >>> >See the tips in the link below. If you do not have a
    > >>> another computer on the network
    > >>> >you are going to need to try and replace the
    > >secedit.sdb
    > >>> file on your computer some
    > >>> >other way such as by putting your hard drive in
    > another
    > >>> computer as a slave/secondary
    > >>> >drive or doing a parallel install of the operating
    > >system
    > >>> [best done into another
    > >>> >partition] in order to do the repair being very
    > careful
    > >>> NOT to install over your
    > >>> >existing installation and do NOT format your drive,
    > >which
    > >>> you can delete when you are
    > >>> >done. Specifically what happened is either you
    > removed
    > >>> groups from the logon
    > >>> >locally user right or added a group to the deny logon
    > >>> locally user right [more
    > >>> >likely]. --- Steve
    > >>> >
    > >>> >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    > >>> >http://support.microsoft.com/default.aspx?scid=kb;en-
    > >>> us;266465
    > >>> >
    > >>> >"JWC062604" <anonymous@discussions.microsoft.com>
    > wrote
    > >>> in message
    > >>> >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    > >>> >> I use my PC locally only so last night I was trying
    > >to
    > >>> >> bypass the Windows logon screen. I thought I had
    > made
    > >>> the
    > >>> >> proper adjustments within "Local Security Policy"
    > >>> >> and "Users & Passwords" to allow for a straight
    > boot
    > >up
    > >>> >> without the popup Windows logon box.
    > >>> >>
    > >>> >> This morning, when I booted up my PC, the Windows
    > >logon
    > >>> >> box still comes up so i went ahead and hit "OK"
    > like
    > >i
    > >>> had
    > >>> >> always dine previously using Administrator as my ID.
    > >>> Then
    > >>> >> I got a popup message stating "The local policy of
    > >this
    > >>> >> system does not permit you to logon interactively."
    > >>> >>
    > >>> >> I hit OK and the above message keeps coming up. How
    > >can
    > >>> I
    > >>> >> go back and reset the logon settings the way they
    > >were?
    > >>> >>
    > >>> >> TY JWC062404
    > >>> >>
    > >>> >>
    > >>> >>
    > >>> >>
    > >>> >
    > >>> >
    > >>> >.
    > >>> >
    > >>
    > >>
    > >>.
    > >>
    > >.
    > >
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve:

    One other thing. My 2nd PC doesn't show a WINNT folder. It
    shows a WINDOWS folder, instead. (IS that a hold over from
    Win 98 before the WIN2000 upgrade?) The WINDOWS folder
    shows security and database and the file secedit.sdb
    though.

    How big is the NTRights? My 2nd PC only has about 225 meg
    left of its 4 gig HD.

    Thanks, JWC

    >-----Original Message-----
    >Hmm. There is no guarantee that method will work all the
    time. I don't
    >believe it will make any difference about renaming the
    old file. Try
    >removing the old file to another folder and leaving the
    new secedit.sdb file
    >alone in that folder. It is always best practice to
    rename a critical file
    >in case something goes really bad or you need it later
    for configuration
    >purposes. Let's go to plan B.
    >
    >First go to
    http://www.petri.co.il/download_free_reskit_tools.htm
    >and download Ntrights and unzip it and copy it to your
    \winnt\system32
    >folder on your good computer. Read the link below on
    ntrights to remove deny
    >logon rights as an example of how it is used.
    >
    >http://support.microsoft.com/default.aspx?scid=kb;en-
    us;276590
    >
    >Enter this command on your good computer [substituting
    real computer name]
    >while logged on as an administrator on the locked out
    computer to give users
    >group the right to logon interactively.
    >
    >ntrights -m \\computername -u users +r
    SeInteractiveLogonRight . Type or
    >copy it exactly as shown as the right is case sensitive.
    >
    >I noticed that Petri link to ntrights is currently down.
    You can also get
    >ntrights from a package of tools in the link below. You
    will probably have
    >to install all of them and then just move ntrights to
    your \winnt\system32
    >folder. Delete the rest of them as they are for W2003
    Server but hopefully
    >ntrights will work.
    >
    >http://www.microsoft.com/downloads/details.aspx?
    FamilyID=9d467a69-57ff-4ae7-
    >96ee-b18c4790cffd&displaylang=en
    >http://tinyurl.com/a32f -- same link as above in case of
    wrap
    >
    >Plan C. ******
    >
    >Go to SysInternals and download Psexec, unzip it and
    download it into your
    >\winnsystem32 folder.
    >
    >http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
    >
    >Enter the command psexec \\computername cmd.exe [again
    using real
    >computername]
    >
    >You should see a command prompt on your screen for the
    locked out computer.
    >If you do, then enter the command using secedit in the KB
    link below and
    >append /areas user_rights after it [as shown under link]
    and hit enter. You
    >can copy and paste the command and then add /areas
    user_rights after it. If
    >you goof up and it executes without the /areas
    user_rights, don't worry
    >about it. It will just take a lot longer and maybe change
    some security
    >policy settings you modified from default if any.
    >
    >http://support.microsoft.com/default.aspx?scid=kb;EN-
    US;313222
    >
    >secedit /configure /cfg %windir%\repair\secsetup.inf /db
    >secsetup.sdb /verbose /areas user_rights
    >
    >Hoefully one of the two methods will help. --- Steve
    >..
    >"JWC062604" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:2250d01c45ca2$3e7a8250$a001280a@phx.gbl...
    >> Steve:
    >>
    >> It did not work.
    >>
    >> I was able to access my "locked" PC's C Drive by using
    >> the "\\computername\c$".
    >>
    >> Important points I want feedback on:
    >>
    >> 1) My working PC originally ran on Win 98 and was
    upgraded
    >> to Win 2000. It was not a clean install. I was an
    upgrade.
    >> Also my 2nd PC runs on a PII 233. My locked PC is a
    800mh
    >> celeron.
    >>
    >> 2) What if I added a 3rd PC running on a clean install
    of
    >> Win2000 to my network and added it to my workgroup.
    Then I
    >> could copy it's "secedit.sdb" to it. Would that help?
    >>
    >> 3) When I copy/pasted the "secedit.sdb" to the locked
    PC,
    >> I did not delete the now name changed "seceditold.sdb".
    I
    >> pasted my 2nd PC's copied secedit.sdb next to it in the
    >> database folder. So, in the end, the database folder on
    my
    >> locked PC had the new/copied "secedit.sdb" file and the
    >> name changed "seceditold.sdb" file still for the fix it
    >> boot up. (Did that cause a problem?)
    >>
    >> 4) I noticed on JSI FAQ #3361 that it says to rename
    >> the "secedit.sdb" file to "secedit.old_sdb". That is
    >> different from your suggestion. You said to rename the
    >> file "seceditold.sdb". Does that make a difference?
    >>
    >> 5) Looking at JSI FAQ #3361 that it says the cause
    >> was "Local Security Policy has been set to deny logon
    >> right to everyone." I do not recall "setting a deny" at
    >> all. I did delete some "user groups" that I didn't
    think I
    >> needed. My guess is that the problem is a missing group
    >> not a deny to everyone. I recall setting a lot of the
    >> security settings to allow for everyone. i do not recall
    >> one time where I set security to deny everyone.
    >>
    >> 6) Over my many attempts to boot up the locked PC, I
    tried
    >> Safe Mode. I watched the as the black screen scrolled
    >> through all of the driver names. Eventually the
    scrolling
    >> ends and the PC sits for quite a while. Could it be
    stuck
    >> trying to load a bad driver? Can I try the "return to
    the
    >> last good configuration" route?
    >>
    >> Once I was able to move throughout my locked PC's file
    >> structure using "\\computername\c$", I feel pretty
    >> optimistic that this can now be fixed throught the
    network
    >> somehow.
    >>
    >> At very worst, I can at least copy everything off of the
    >> PC to a 3rd PC and save it there or burn a CD.
    >> Unfortunately, my existing 2nd PC has only a 4 gig
    >> harddrive so it won't work. It is far too small. Plus it
    >> only had about 225 meg left. It is far too small to
    >> attempt a move.
    >>
    >> I assume it would be possible to add a third (& larger
    HD)
    >> PC to my 4 port router and move the files there. At
    least
    >> I now access to my Outlook email contact files and
    >> email .pst files with info I badly need.
    >>
    >> Also, I had copied installation CD's directly to my
    locked
    >> PC's HD for save keeping in case something happened to
    the
    >> CD's themselves. At least now I can move these files to
    a
    >> 3rd PC.
    >>
    >>
    >> >-----Original Message-----
    >> >Thanks, Steve. You've been a life saver.
    >> >
    >> >JWC062604
    >> >
    >> >>-----Original Message-----
    >> >>The link I showed shows exactly how to do that. Here
    are
    >> >the basic steps.
    >> >>Substitute your actual computer name for the locked
    out
    >> >computer where I
    >> >>show "computername". If you don't know the computers
    >> >actual name, you should
    >> >>see it in My Network Places on the good computer.
    >> >Hopefully your working
    >> >>computer is a Windows 2000 Pro computer or this will
    not
    >> >work and stop after
    >> >>verifiyng or not that you can access the C$ folder on
    >> the
    >> >locked out
    >> >>computer as described in the second sentence below. If
    >> >you can at least
    >> >>access the c$ folder there may be another option but I
    >> >need to know the
    >> >>operating system of your good computer. If you can not
    >> >access the c$ drive
    >> >>you will need to try to take it to someone who can
    slave
    >> >the drive in
    >> >>another computer running Windows 2000 or XP to try and
    >> >repair it or
    >> >>reinstall the operating system which can be done
    without
    >> >destroying your
    >> >>data but will require that you reinstall all of your
    >> >applications, service
    >> >>pack, and critical updates. Note that if you have any
    >> EFS
    >> >encrypted files,
    >> >>that a reinstall that is not an "upgrade" install will
    >> >prevent you from ever
    >> >>accessing them again unless you backed up your EFS
    >> >privaye keys.
    >> >>
    >> >>http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >> >>
    >> >>First logon to your other computer with a logon name
    and
    >> >password that
    >> >>exists on the locked out computer that is an
    >> >administrator on that computer.
    >> >>Create the account on your "good" computer if need be.
    >> >>
    >> >>In the run box type \\computername\c$ and then enter.
    If
    >> >it brings up the
    >> >>administrative share on the other computer which
    should
    >> >show the whole drive
    >> >>you are in. I am assumming c drive is where your
    >> >operating system is at and
    >> >>if it is not use the correct drive letter.
    >> >>
    >> >>Go to the \winnt\security\database folder. First open
    >> the
    >> >winnt folder and
    >> >>then the others in the order shown. Folders are in
    >> >alphabetical order within
    >> >>a folder.This is called the "path". You should see a
    >> file
    >> >called secedit.sdb
    >> >>in the window to the right. Right click that file and
    >> >select rename. Rename
    >> >>it seceditold.sdm and hit enter.
    >> >>
    >> >>Minimize the Explorer Window by selecting the minimize
    >> >icon in the top right
    >> >>hand corner. Now on your "good" computer go to the
    same
    >> >folder path and find
    >> >>the copy of secedit.sdb on it. Right click that file
    and
    >> >select copy. Now
    >> >>maximize the Explorer Window on your locked out
    computer
    >> >and put your
    >> >>pointer in the window to the right where you now have
    a
    >> >file called
    >> >>seceditold.sdb. Right click your mouse and select
    paste
    >> >and you should now
    >> >>see a copy of secedit.sdb from the other computer that
    >> >you just copied.
    >> >>Close your Explorer Windows and reboot the locked out
    >> >computer to see if it
    >> >>helps and let me know. --- Steve
    >> >>
    >> >>"JWC062604" <anonymous@discussions.microsoft.com>
    wrote
    >> >in message
    >> >>news:2212e01c45bc1$8bc86b80$a001280a@phx.gbl...
    >> >>> Steve:
    >> >>>
    >> >>> I actually do have another PC on my (2 PC) network.
    >> This
    >> >>> is how I am communicating now. My purpose for the
    >> >network
    >> >>> was so both PC's could share the cable modem to the
    >> net.
    >> >>> That's the only reason that I have the network.
    >> >>>
    >> >>> Are there other instructions possible with a PC on
    the
    >> >>> network? Or how might a professional repair this
    >> >problem?
    >> >>> I would take the machine to a firm that only dealt
    with
    >> >>> larger, corporate clients.
    >> >>>
    >> >>> Please respond.
    >> >>> JWC062604
    >> >>>
    >> >>> >-----Original Message-----
    >> >>> >See the tips in the link below. If you do not have
    a
    >> >>> another computer on the network
    >> >>> >you are going to need to try and replace the
    >> >secedit.sdb
    >> >>> file on your computer some
    >> >>> >other way such as by putting your hard drive in
    >> another
    >> >>> computer as a slave/secondary
    >> >>> >drive or doing a parallel install of the operating
    >> >system
    >> >>> [best done into another
    >> >>> >partition] in order to do the repair being very
    >> careful
    >> >>> NOT to install over your
    >> >>> >existing installation and do NOT format your drive,
    >> >which
    >> >>> you can delete when you are
    >> >>> >done. Specifically what happened is either you
    >> removed
    >> >>> groups from the logon
    >> >>> >locally user right or added a group to the deny
    logon
    >> >>> locally user right [more
    >> >>> >likely]. --- Steve
    >> >>> >
    >> >>> >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    >> >>> >http://support.microsoft.com/default.aspx?
    scid=kb;en-
    >> >>> us;266465
    >> >>> >
    >> >>> >"JWC062604" <anonymous@discussions.microsoft.com>
    >> wrote
    >> >>> in message
    >> >>> >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    >> >>> >> I use my PC locally only so last night I was
    trying
    >> >to
    >> >>> >> bypass the Windows logon screen. I thought I had
    >> made
    >> >>> the
    >> >>> >> proper adjustments within "Local Security Policy"
    >> >>> >> and "Users & Passwords" to allow for a straight
    >> boot
    >> >up
    >> >>> >> without the popup Windows logon box.
    >> >>> >>
    >> >>> >> This morning, when I booted up my PC, the Windows
    >> >logon
    >> >>> >> box still comes up so i went ahead and hit "OK"
    >> like
    >> >i
    >> >>> had
    >> >>> >> always dine previously using Administrator as my
    ID.
    >> >>> Then
    >> >>> >> I got a popup message stating "The local policy
    of
    >> >this
    >> >>> >> system does not permit you to logon
    interactively."
    >> >>> >>
    >> >>> >> I hit OK and the above message keeps coming up.
    How
    >> >can
    >> >>> I
    >> >>> >> go back and reset the logon settings the way they
    >> >were?
    >> >>> >>
    >> >>> >> TY JWC062404
    >> >>> >>
    >> >>> >>
    >> >>> >>
    >> >>> >>
    >> >>> >
    >> >>> >
    >> >>> >.
    >> >>> >
    >> >>
    >> >>
    >> >>.
    >> >>
    >> >.
    >> >
    >
    >
    >.
    >
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    I believe so. I have never upgraded a W98 computer to W2K. It should work fine in the
    Windows or Window\system32 folder. The reason I suggest putting it there is because
    it is in the "path" and will be executed where ever you use it. Ntrights is very
    small and even if you need to download the whole Windows 2003 RK [13 MB] tools you
    will have plenty of room. Otherwise try using psexec as I also suggested as a
    possible solution.--- Steve


    "JWC062704" <anonymous@discussions.microsoft.com> wrote in message
    news:222a001c45cbb$43038380$a401280a@phx.gbl...
    > Steve:
    >
    > One other thing. My 2nd PC doesn't show a WINNT folder. It
    > shows a WINDOWS folder, instead. (IS that a hold over from
    > Win 98 before the WIN2000 upgrade?) The WINDOWS folder
    > shows security and database and the file secedit.sdb
    > though.
    >
    > How big is the NTRights? My 2nd PC only has about 225 meg
    > left of its 4 gig HD.
    >
    > Thanks, JWC
    >
    > >-----Original Message-----
    > >Hmm. There is no guarantee that method will work all the
    > time. I don't
    > >believe it will make any difference about renaming the
    > old file. Try
    > >removing the old file to another folder and leaving the
    > new secedit.sdb file
    > >alone in that folder. It is always best practice to
    > rename a critical file
    > >in case something goes really bad or you need it later
    > for configuration
    > >purposes. Let's go to plan B.
    > >
    > >First go to
    > http://www.petri.co.il/download_free_reskit_tools.htm
    > >and download Ntrights and unzip it and copy it to your
    > \winnt\system32
    > >folder on your good computer. Read the link below on
    > ntrights to remove deny
    > >logon rights as an example of how it is used.
    > >
    > >http://support.microsoft.com/default.aspx?scid=kb;en-
    > us;276590
    > >
    > >Enter this command on your good computer [substituting
    > real computer name]
    > >while logged on as an administrator on the locked out
    > computer to give users
    > >group the right to logon interactively.
    > >
    > >ntrights -m \\computername -u users +r
    > SeInteractiveLogonRight . Type or
    > >copy it exactly as shown as the right is case sensitive.
    > >
    > >I noticed that Petri link to ntrights is currently down.
    > You can also get
    > >ntrights from a package of tools in the link below. You
    > will probably have
    > >to install all of them and then just move ntrights to
    > your \winnt\system32
    > >folder. Delete the rest of them as they are for W2003
    > Server but hopefully
    > >ntrights will work.
    > >
    > >http://www.microsoft.com/downloads/details.aspx?
    > FamilyID=9d467a69-57ff-4ae7-
    > >96ee-b18c4790cffd&displaylang=en
    > >http://tinyurl.com/a32f -- same link as above in case of
    > wrap
    > >
    > >Plan C. ******
    > >
    > >Go to SysInternals and download Psexec, unzip it and
    > download it into your
    > >\winnsystem32 folder.
    > >
    > >http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
    > >
    > >Enter the command psexec \\computername cmd.exe [again
    > using real
    > >computername]
    > >
    > >You should see a command prompt on your screen for the
    > locked out computer.
    > >If you do, then enter the command using secedit in the KB
    > link below and
    > >append /areas user_rights after it [as shown under link]
    > and hit enter. You
    > >can copy and paste the command and then add /areas
    > user_rights after it. If
    > >you goof up and it executes without the /areas
    > user_rights, don't worry
    > >about it. It will just take a lot longer and maybe change
    > some security
    > >policy settings you modified from default if any.
    > >
    > >http://support.microsoft.com/default.aspx?scid=kb;EN-
    > US;313222
    > >
    > >secedit /configure /cfg %windir%\repair\secsetup.inf /db
    > >secsetup.sdb /verbose /areas user_rights
    > >
    > >Hoefully one of the two methods will help. --- Steve
    > >..
    > >"JWC062604" <anonymous@discussions.microsoft.com> wrote
    > in message
    > >news:2250d01c45ca2$3e7a8250$a001280a@phx.gbl...
    > >> Steve:
    > >>
    > >> It did not work.
    > >>
    > >> I was able to access my "locked" PC's C Drive by using
    > >> the "\\computername\c$".
    > >>
    > >> Important points I want feedback on:
    > >>
    > >> 1) My working PC originally ran on Win 98 and was
    > upgraded
    > >> to Win 2000. It was not a clean install. I was an
    > upgrade.
    > >> Also my 2nd PC runs on a PII 233. My locked PC is a
    > 800mh
    > >> celeron.
    > >>
    > >> 2) What if I added a 3rd PC running on a clean install
    > of
    > >> Win2000 to my network and added it to my workgroup.
    > Then I
    > >> could copy it's "secedit.sdb" to it. Would that help?
    > >>
    > >> 3) When I copy/pasted the "secedit.sdb" to the locked
    > PC,
    > >> I did not delete the now name changed "seceditold.sdb".
    > I
    > >> pasted my 2nd PC's copied secedit.sdb next to it in the
    > >> database folder. So, in the end, the database folder on
    > my
    > >> locked PC had the new/copied "secedit.sdb" file and the
    > >> name changed "seceditold.sdb" file still for the fix it
    > >> boot up. (Did that cause a problem?)
    > >>
    > >> 4) I noticed on JSI FAQ #3361 that it says to rename
    > >> the "secedit.sdb" file to "secedit.old_sdb". That is
    > >> different from your suggestion. You said to rename the
    > >> file "seceditold.sdb". Does that make a difference?
    > >>
    > >> 5) Looking at JSI FAQ #3361 that it says the cause
    > >> was "Local Security Policy has been set to deny logon
    > >> right to everyone." I do not recall "setting a deny" at
    > >> all. I did delete some "user groups" that I didn't
    > think I
    > >> needed. My guess is that the problem is a missing group
    > >> not a deny to everyone. I recall setting a lot of the
    > >> security settings to allow for everyone. i do not recall
    > >> one time where I set security to deny everyone.
    > >>
    > >> 6) Over my many attempts to boot up the locked PC, I
    > tried
    > >> Safe Mode. I watched the as the black screen scrolled
    > >> through all of the driver names. Eventually the
    > scrolling
    > >> ends and the PC sits for quite a while. Could it be
    > stuck
    > >> trying to load a bad driver? Can I try the "return to
    > the
    > >> last good configuration" route?
    > >>
    > >> Once I was able to move throughout my locked PC's file
    > >> structure using "\\computername\c$", I feel pretty
    > >> optimistic that this can now be fixed throught the
    > network
    > >> somehow.
    > >>
    > >> At very worst, I can at least copy everything off of the
    > >> PC to a 3rd PC and save it there or burn a CD.
    > >> Unfortunately, my existing 2nd PC has only a 4 gig
    > >> harddrive so it won't work. It is far too small. Plus it
    > >> only had about 225 meg left. It is far too small to
    > >> attempt a move.
    > >>
    > >> I assume it would be possible to add a third (& larger
    > HD)
    > >> PC to my 4 port router and move the files there. At
    > least
    > >> I now access to my Outlook email contact files and
    > >> email .pst files with info I badly need.
    > >>
    > >> Also, I had copied installation CD's directly to my
    > locked
    > >> PC's HD for save keeping in case something happened to
    > the
    > >> CD's themselves. At least now I can move these files to
    > a
    > >> 3rd PC.
    > >>
    > >>
    > >> >-----Original Message-----
    > >> >Thanks, Steve. You've been a life saver.
    > >> >
    > >> >JWC062604
    > >> >
    > >> >>-----Original Message-----
    > >> >>The link I showed shows exactly how to do that. Here
    > are
    > >> >the basic steps.
    > >> >>Substitute your actual computer name for the locked
    > out
    > >> >computer where I
    > >> >>show "computername". If you don't know the computers
    > >> >actual name, you should
    > >> >>see it in My Network Places on the good computer.
    > >> >Hopefully your working
    > >> >>computer is a Windows 2000 Pro computer or this will
    > not
    > >> >work and stop after
    > >> >>verifiyng or not that you can access the C$ folder on
    > >> the
    > >> >locked out
    > >> >>computer as described in the second sentence below. If
    > >> >you can at least
    > >> >>access the c$ folder there may be another option but I
    > >> >need to know the
    > >> >>operating system of your good computer. If you can not
    > >> >access the c$ drive
    > >> >>you will need to try to take it to someone who can
    > slave
    > >> >the drive in
    > >> >>another computer running Windows 2000 or XP to try and
    > >> >repair it or
    > >> >>reinstall the operating system which can be done
    > without
    > >> >destroying your
    > >> >>data but will require that you reinstall all of your
    > >> >applications, service
    > >> >>pack, and critical updates. Note that if you have any
    > >> EFS
    > >> >encrypted files,
    > >> >>that a reinstall that is not an "upgrade" install will
    > >> >prevent you from ever
    > >> >>accessing them again unless you backed up your EFS
    > >> >privaye keys.
    > >> >>
    > >> >>http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    > >> >>
    > >> >>First logon to your other computer with a logon name
    > and
    > >> >password that
    > >> >>exists on the locked out computer that is an
    > >> >administrator on that computer.
    > >> >>Create the account on your "good" computer if need be.
    > >> >>
    > >> >>In the run box type \\computername\c$ and then enter.
    > If
    > >> >it brings up the
    > >> >>administrative share on the other computer which
    > should
    > >> >show the whole drive
    > >> >>you are in. I am assumming c drive is where your
    > >> >operating system is at and
    > >> >>if it is not use the correct drive letter.
    > >> >>
    > >> >>Go to the \winnt\security\database folder. First open
    > >> the
    > >> >winnt folder and
    > >> >>then the others in the order shown. Folders are in
    > >> >alphabetical order within
    > >> >>a folder.This is called the "path". You should see a
    > >> file
    > >> >called secedit.sdb
    > >> >>in the window to the right. Right click that file and
    > >> >select rename. Rename
    > >> >>it seceditold.sdm and hit enter.
    > >> >>
    > >> >>Minimize the Explorer Window by selecting the minimize
    > >> >icon in the top right
    > >> >>hand corner. Now on your "good" computer go to the
    > same
    > >> >folder path and find
    > >> >>the copy of secedit.sdb on it. Right click that file
    > and
    > >> >select copy. Now
    > >> >>maximize the Explorer Window on your locked out
    > computer
    > >> >and put your
    > >> >>pointer in the window to the right where you now have
    > a
    > >> >file called
    > >> >>seceditold.sdb. Right click your mouse and select
    > paste
    > >> >and you should now
    > >> >>see a copy of secedit.sdb from the other computer that
    > >> >you just copied.
    > >> >>Close your Explorer Windows and reboot the locked out
    > >> >computer to see if it
    > >> >>helps and let me know. --- Steve
    > >> >>
    > >> >>"JWC062604" <anonymous@discussions.microsoft.com>
    > wrote
    > >> >in message
    > >> >>news:2212e01c45bc1$8bc86b80$a001280a@phx.gbl...
    > >> >>> Steve:
    > >> >>>
    > >> >>> I actually do have another PC on my (2 PC) network.
    > >> This
    > >> >>> is how I am communicating now. My purpose for the
    > >> >network
    > >> >>> was so both PC's could share the cable modem to the
    > >> net.
    > >> >>> That's the only reason that I have the network.
    > >> >>>
    > >> >>> Are there other instructions possible with a PC on
    > the
    > >> >>> network? Or how might a professional repair this
    > >> >problem?
    > >> >>> I would take the machine to a firm that only dealt
    > with
    > >> >>> larger, corporate clients.
    > >> >>>
    > >> >>> Please respond.
    > >> >>> JWC062604
    > >> >>>
    > >> >>> >-----Original Message-----
    > >> >>> >See the tips in the link below. If you do not have
    > a
    > >> >>> another computer on the network
    > >> >>> >you are going to need to try and replace the
    > >> >secedit.sdb
    > >> >>> file on your computer some
    > >> >>> >other way such as by putting your hard drive in
    > >> another
    > >> >>> computer as a slave/secondary
    > >> >>> >drive or doing a parallel install of the operating
    > >> >system
    > >> >>> [best done into another
    > >> >>> >partition] in order to do the repair being very
    > >> careful
    > >> >>> NOT to install over your
    > >> >>> >existing installation and do NOT format your drive,
    > >> >which
    > >> >>> you can delete when you are
    > >> >>> >done. Specifically what happened is either you
    > >> removed
    > >> >>> groups from the logon
    > >> >>> >locally user right or added a group to the deny
    > logon
    > >> >>> locally user right [more
    > >> >>> >likely]. --- Steve
    > >> >>> >
    > >> >>> >http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
    > >> >>> >http://support.microsoft.com/default.aspx?
    > scid=kb;en-
    > >> >>> us;266465
    > >> >>> >
    > >> >>> >"JWC062604" <anonymous@discussions.microsoft.com>
    > >> wrote
    > >> >>> in message
    > >> >>> >news:21dd501c45ba2$07056480$a401280a@phx.gbl...
    > >> >>> >> I use my PC locally only so last night I was
    > trying
    > >> >to
    > >> >>> >> bypass the Windows logon screen. I thought I had
    > >> made
    > >> >>> the
    > >> >>> >> proper adjustments within "Local Security Policy"
    > >> >>> >> and "Users & Passwords" to allow for a straight
    > >> boot
    > >> >up
    > >> >>> >> without the popup Windows logon box.
    > >> >>> >>
    > >> >>> >> This morning, when I booted up my PC, the Windows
    > >> >logon
    > >> >>> >> box still comes up so i went ahead and hit "OK"
    > >> like
    > >> >i
    > >> >>> had
    > >> >>> >> always dine previously using Administrator as my
    > ID.
    > >> >>> Then
    > >> >>> >> I got a popup message stating "The local policy
    > of
    > >> >this
    > >> >>> >> system does not permit you to logon
    > interactively."
    > >> >>> >>
    > >> >>> >> I hit OK and the above message keeps coming up.
    > How
    > >> >can
    > >> >>> I
    > >> >>> >> go back and reset the logon settings the way they
    > >> >were?
    > >> >>> >>
    > >> >>> >> TY JWC062404
    > >> >>> >>
    > >> >>> >>
    > >> >>> >>
    > >> >>> >>
    > >> >>> >
    > >> >>> >
    > >> >>> >.
    > >> >>> >
    > >> >>
    > >> >>
    > >> >>.
    > >> >>
    > >> >.
    > >> >
    > >
    > >
    > >.
    > >
Ask a new question

Read More

Security Windows 2000 Windows