Logon Error Msg: local security policy won't permit intera..

Archived from groups: microsoft.public.win2000.security (More info?)

I messed up while creating a user account for my kid and setting permissions
in W2K Professional (SP-2 was last update) ... After reading article ID
285793 on the subject, I think I know what I did wrong and how to fix it(I
accidentally set the "Deny logon locally" parameter). The resolution in the
article however, assumes you can get logged on ... I can't get past the logon
screen. I tried lauching in safe mode and I tried using my W2K startup disc
w/CD support but neither way worked. Is there any way to bypass the
"applying local security policy" function when windows launches so that I can
actually get logged on to fix my mistake?

Any help would be greatly appreciated.
Russ

Archived from groups: microsoft.public.win2000.security (More info?)

Do you have more than one machine?
If so, these are networked ? and you did not also make
changes to the Deny policy for network login ?
Evidently you set the Deny of local login for all Users ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"retjefe" <retjefe@discussions.microsoft.com> wrote in message
news:ECF36415-812F-4FDA-8217-639EE77466DD@microsoft.com...
> I messed up while creating a user account for my kid and setting
permissions
> in W2K Professional (SP-2 was last update) ... After reading article ID
> 285793 on the subject, I think I know what I did wrong and how to fix it(I
> accidentally set the "Deny logon locally" parameter). The resolution in
the
> article however, assumes you can get logged on ... I can't get past the
logon
> screen. I tried lauching in safe mode and I tried using my W2K startup
disc
> w/CD support but neither way worked. Is there any way to bypass the
> "applying local security policy" function when windows launches so that I
can
> actually get logged on to fix my mistake?
>
> Any help would be greatly appreciated.
> Russ

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve,

Actually, with a parallel install, one can set a deny on the
%system32%\group policy folder (deny administrators) of
the other system, just like one does with access via a network
share mapping.
This prevents application during the admin login so that
they can then remove the deny and edit the policy to remove
the offending setting.

--
Roger
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:JJRqd.176476$R05.95923@attbi_s53...
> The link below shows two ways to do it but both require the help of
another
> computer on the network.
>
> http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
>
> If you don't have another computer to help you, the only alternatives I
know
> are to install a parallel operating system to try and replace the
> secedit.sdb file from the parallel installation. Otherwise you will need
to
> do a fresh install of the operating system - an upgrade install will not
> work if I remember correctly. What you could do is to reinstall the
> operating system into the existing \winnt folder being sure NOT to format
> anything. You would follow the prompts to install the operating system
onto
> the same drive and then the installation will warn you that an existing
> installation exists and ask if you want to install to the existing \winnt
> folder. When you select yes I believe you have to select L to proceed.
>
> The advantage of this type of install is that your data and original
> profiles will be preserved but all your applications [other then Internet
> Explorer] will have to be reinstalled, probably to existing locations as
in
> "on top" of themselves. You would then have to install the latest service
> pack and critical updates and find your old profile under documents and
> settings folder to copy your data, emails, etc. That could be a lengthy
task
> if you do not have a high speed internet connection and you would have to
be
> sure that a firewall protects your computer before connecting it to the
> internet. Also if you happen to have any EFS encrypted files they will be
> lost forever if you do not have a backup of your EFS private key used to
> encrypt the files in a .pfx file somewhere.
>
> Otherwise try a parallel installation first though there is no guarantee
> that replacing secedit.sdb on the locked out install will work. The upside
> is that if it works, all your applications will still work and you will
not
> have to install service pack or critical updates and at the very least you
> will have access to your data, though you will probably need to take
> "ownership" of the profile folders first as an administrator. To do such
you
> will need to boot from the cdrom drive and install a new copy of the
> operating system, preferrably to another partition of your hard drive and
do
> NOT format a partition unless you are willing to lose all the data on it.
> See the link below for more info. Good luck. --- Steve
>
> http://support.microsoft.com/kb/266465
> http://support.microsoft.com/defau [...] -us;308421 -- works
the
> same in W2K.
>
> "retjefe" <retjefe@discussions.microsoft.com> wrote in message
> news:ECF36415-812F-4FDA-8217-639EE77466DD@microsoft.com...
> >I messed up while creating a user account for my kid and setting
> >permissions
> > in W2K Professional (SP-2 was last update) ... After reading article ID
> > 285793 on the subject, I think I know what I did wrong and how to fix
it(I
> > accidentally set the "Deny logon locally" parameter). The resolution in
> > the
> > article however, assumes you can get logged on ... I can't get past the
> > logon
> > screen. I tried lauching in safe mode and I tried using my W2K startup
> > disc
> > w/CD support but neither way worked. Is there any way to bypass the
> > "applying local security policy" function when windows launches so that
I
> > can
> > actually get logged on to fix my mistake?
> >
> > Any help would be greatly appreciated.
> > Russ
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks (Rodger and Steve), I'll give it a whirl. This gives new meaning to
"learning from one's mistakes."

Russ

"Steven L Umbach" wrote:

> Hi Roger.
>
> Cool. I know that works for user configuration but was not sure about
> computer configuration policy. Hopefully he gets it sorted out as it can be
> a real pain when you don't have another computer on hand to help out. ---
> Steve
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:e$EH10o1EHA.2068@TK2MSFTNGP10.phx.gbl...
> > Hi Steve,
> >
> > Actually, with a parallel install, one can set a deny on the
> > %system32%\group policy folder (deny administrators) of
> > the other system, just like one does with access via a network
> > share mapping.
> > This prevents application during the admin login so that
> > they can then remove the deny and edit the policy to remove
> > the offending setting.
> >
> > --
> > Roger
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:JJRqd.176476$R05.95923@attbi_s53...
> >> The link below shows two ways to do it but both require the help of
> > another
> >> computer on the network.
> >>
> >> http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
> >>
> >> If you don't have another computer to help you, the only alternatives I
> > know
> >> are to install a parallel operating system to try and replace the
> >> secedit.sdb file from the parallel installation. Otherwise you will need
> > to
> >> do a fresh install of the operating system - an upgrade install will not
> >> work if I remember correctly. What you could do is to reinstall the
> >> operating system into the existing \winnt folder being sure NOT to format
> >> anything. You would follow the prompts to install the operating system
> > onto
> >> the same drive and then the installation will warn you that an existing
> >> installation exists and ask if you want to install to the existing \winnt
> >> folder. When you select yes I believe you have to select L to proceed.
> >>
> >> The advantage of this type of install is that your data and original
> >> profiles will be preserved but all your applications [other then Internet
> >> Explorer] will have to be reinstalled, probably to existing locations as
> > in
> >> "on top" of themselves. You would then have to install the latest service
> >> pack and critical updates and find your old profile under documents and
> >> settings folder to copy your data, emails, etc. That could be a lengthy
> > task
> >> if you do not have a high speed internet connection and you would have to
> > be
> >> sure that a firewall protects your computer before connecting it to the
> >> internet. Also if you happen to have any EFS encrypted files they will be
> >> lost forever if you do not have a backup of your EFS private key used to
> >> encrypt the files in a .pfx file somewhere.
> >>
> >> Otherwise try a parallel installation first though there is no guarantee
> >> that replacing secedit.sdb on the locked out install will work. The
> >> upside
> >> is that if it works, all your applications will still work and you will
> > not
> >> have to install service pack or critical updates and at the very least
> >> you
> >> will have access to your data, though you will probably need to take
> >> "ownership" of the profile folders first as an administrator. To do such
> > you
> >> will need to boot from the cdrom drive and install a new copy of the
> >> operating system, preferrably to another partition of your hard drive and
> > do
> >> NOT format a partition unless you are willing to lose all the data on it.
> >> See the link below for more info. Good luck. --- Steve
> >>
> >> http://support.microsoft.com/kb/266465
> >> http://support.microsoft.com/defau [...] -us;308421 -- works
> > the
> >> same in W2K.
> >>
> >> "retjefe" <retjefe@discussions.microsoft.com> wrote in message
> >> news:ECF36415-812F-4FDA-8217-639EE77466DD@microsoft.com...
> >> >I messed up while creating a user account for my kid and setting
> >> >permissions
> >> > in W2K Professional (SP-2 was last update) ... After reading article ID
> >> > 285793 on the subject, I think I know what I did wrong and how to fix
> > it(I
> >> > accidentally set the "Deny logon locally" parameter). The resolution
> >> > in
> >> > the
> >> > article however, assumes you can get logged on ... I can't get past the
> >> > logon
> >> > screen. I tried lauching in safe mode and I tried using my W2K startup
> >> > disc
> >> > w/CD support but neither way worked. Is there any way to bypass the
> >> > "applying local security policy" function when windows launches so that
> > I
> >> > can
> >> > actually get logged on to fix my mistake?
> >> >
> >> > Any help would be greatly appreciated.
> >> > Russ
> >>
> >>
> >
> >
>
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

Yep, as long as it is just a _local_ policy issue.
(ps. System has NTFS access due to hidden membership
in the Administrators group)

--
Roger
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:2YRqd.111158$V41.68633@attbi_s52...
> Hi Roger.
>
> Cool. I know that works for user configuration but was not sure about
> computer configuration policy. Hopefully he gets it sorted out as it can
be
> a real pain when you don't have another computer on hand to help out. ---
> Steve
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:e$EH10o1EHA.2068@TK2MSFTNGP10.phx.gbl...
> > Hi Steve,
> >
> > Actually, with a parallel install, one can set a deny on the
> > %system32%\group policy folder (deny administrators) of
> > the other system, just like one does with access via a network
> > share mapping.
> > This prevents application during the admin login so that
> > they can then remove the deny and edit the policy to remove
> > the offending setting.
> >
> > --
> > Roger
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:JJRqd.176476$R05.95923@attbi_s53...
> >> The link below shows two ways to do it but both require the help of
> > another
> >> computer on the network.
> >>
> >> http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
> >>
> >> If you don't have another computer to help you, the only alternatives I
> > know
> >> are to install a parallel operating system to try and replace the
> >> secedit.sdb file from the parallel installation. Otherwise you will
need
> > to
> >> do a fresh install of the operating system - an upgrade install will
not
> >> work if I remember correctly. What you could do is to reinstall the
> >> operating system into the existing \winnt folder being sure NOT to
format
> >> anything. You would follow the prompts to install the operating system
> > onto
> >> the same drive and then the installation will warn you that an existing
> >> installation exists and ask if you want to install to the existing
\winnt
> >> folder. When you select yes I believe you have to select L to proceed.
> >>
> >> The advantage of this type of install is that your data and original
> >> profiles will be preserved but all your applications [other then
Internet
> >> Explorer] will have to be reinstalled, probably to existing locations
as
> > in
> >> "on top" of themselves. You would then have to install the latest
service
> >> pack and critical updates and find your old profile under documents and
> >> settings folder to copy your data, emails, etc. That could be a lengthy
> > task
> >> if you do not have a high speed internet connection and you would have
to
> > be
> >> sure that a firewall protects your computer before connecting it to the
> >> internet. Also if you happen to have any EFS encrypted files they will
be
> >> lost forever if you do not have a backup of your EFS private key used
to
> >> encrypt the files in a .pfx file somewhere.
> >>
> >> Otherwise try a parallel installation first though there is no
guarantee
> >> that replacing secedit.sdb on the locked out install will work. The
> >> upside
> >> is that if it works, all your applications will still work and you will
> > not
> >> have to install service pack or critical updates and at the very least
> >> you
> >> will have access to your data, though you will probably need to take
> >> "ownership" of the profile folders first as an administrator. To do
such
> > you
> >> will need to boot from the cdrom drive and install a new copy of the
> >> operating system, preferrably to another partition of your hard drive
and
> > do
> >> NOT format a partition unless you are willing to lose all the data on
it.
> >> See the link below for more info. Good luck. --- Steve
> >>
> >> http://support.microsoft.com/kb/266465
> >> http://support.microsoft.com/defau [...] -us;308421 --
works
> > the
> >> same in W2K.
> >>
> >> "retjefe" <retjefe@discussions.microsoft.com> wrote in message
> >> news:ECF36415-812F-4FDA-8217-639EE77466DD@microsoft.com...
> >> >I messed up while creating a user account for my kid and setting
> >> >permissions
> >> > in W2K Professional (SP-2 was last update) ... After reading article
ID
> >> > 285793 on the subject, I think I know what I did wrong and how to fix
> > it(I
> >> > accidentally set the "Deny logon locally" parameter). The resolution
> >> > in
> >> > the
> >> > article however, assumes you can get logged on ... I can't get past
the
> >> > logon
> >> > screen. I tried lauching in safe mode and I tried using my W2K
startup
> >> > disc
> >> > w/CD support but neither way worked. Is there any way to bypass the
> >> > "applying local security policy" function when windows launches so
that
> > I
> >> > can
> >> > actually get logged on to fix my mistake?
> >> >
> >> > Any help would be greatly appreciated.
> >> > Russ
> >>
> >>
> >
> >
>
>