Sign in with
Sign up | Sign in
Your question

Question about Log on Locally Policy.

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
December 16, 2004 9:49:21 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

This thread is about a W2K member server.

I had to recover from a failure on one of my domain's boxes the other
day. I reloaded the image I had of the fully configured box. What I
forgot to realize is the security guys went through and changed whio
can log on locally...

After the image was sucessfully restored, I tried to logon to the
domain but got a message the domain wasn't available.

So I then tried to log on as the local admin and got the error stating
the policy of the machine does not permit interactive logon.

So it looks like I'm stuck... I cannot contact the domain and I cannot
logon with a local account because the image captured the effective
setting from the DC regarding who can and cannot log on locally.

I do have a offline registry editor program but I have no idea if this
policy is even stored in the registry... does anyone know?
Are there any other tools that could help me out too?

Thanks!!!
Anonymous
a b 8 Security
December 16, 2004 11:41:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Steve, thanks for your reply.

After the system was first built, the security folks applied a NSA
tempate against it. It is very restrictive... almost to the point of
making the box not usable if you ask me. At any rate, I then made and
image of the final configuration. The system state at that time was an
effective setting of only let domadmins log on locally.

Now, fast forward to me recovering from image. For some reason the box
isn't seeing the domain. Which shouldn't really be no big deal... but
that does mean I cannot logon as a domadmin. But because of the
image-captured, effective group policy setting, this box still believes
it can only allow domadmins to log on locally.

If I'm reading your post correctly, the solutions you suggest imply I
have access to the desktop. I cannot get to the desktop because
without the box recognizing the domain I cannot logon as domadmin and I
cannot use any of the local accounts because they are prevented from
doing so becuase of the GP. I'm not sure how telneting into the box
would work because how would I access the Group Policy remotely? I
have a linux boot disk which gives me access to SAM and the registry
but I don't know if or where the GP for log on locally is located there.
Anonymous
a b 8 Security
December 16, 2004 7:10:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Interesting as by default administrators group has logon locally user right.
The easiest thing to try would be to use ntrights to add the administrators
to the logon locally user right. Not knowing if there are entries in the
deny logon locally user right and the fact that it may have overriding
policy from the domain can complicate things. If you can access the computer
via an administrative share you may have a good change to correct things and
them you might be able to use Computer Management to remotely view it's
Event Viewer. If can not even access an administrative share, your changes
of correcting things are not good. Assuming you can, you could also use
psexec from SysInternals to access the command prompt on that computer to
check network configuration, run netdiag, etc. Netdom might be used to try
and join the computer to the domain or repair the secure channel. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;266280 -- note that
the user right is case sensitive in the command
http://www.petri.co.il/download_free_reskit_tools.htm --- Ntrights
available here
http://www.sysinternals.com/ntw2k/freeware/psexec.shtml -- Psexec.
http://support.microsoft.com/kb/216393/EN-US/ -- netdom info

"Adam Sandler" <corn29@excite.com> wrote in message
news:1103208561.753609.225590@z14g2000cwz.googlegroups.com...
> Hello,
>
> This thread is about a W2K member server.
>
> I had to recover from a failure on one of my domain's boxes the other
> day. I reloaded the image I had of the fully configured box. What I
> forgot to realize is the security guys went through and changed whio
> can log on locally...
>
> After the image was sucessfully restored, I tried to logon to the
> domain but got a message the domain wasn't available.
>
> So I then tried to log on as the local admin and got the error stating
> the policy of the machine does not permit interactive logon.
>
> So it looks like I'm stuck... I cannot contact the domain and I cannot
> logon with a local account because the image captured the effective
> setting from the DC regarding who can and cannot log on locally.
>
> I do have a offline registry editor program but I have no idea if this
> policy is even stored in the registry... does anyone know?
> Are there any other tools that could help me out too?
>
> Thanks!!!
>
Related resources
Anonymous
a b 8 Security
December 16, 2004 8:31:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I understand that you can not logon locally. I was suggesting methods that
might be able to be used remotely such as using Ntrights from another
computer on the network for which you would have to create an account so
that you can logon to the remote computer with username/password that is the
built in administrator account on the locked out machine. Hopefully you can
do that. If you can you can do all those tasks I suggested remotely
including using psexec to check the tcp/ip configuration [such as incorrect
dns server] and running netdiag that might explain why you are having a
problem with the domain controller such as a dns or secure channel problem.
I would also try using Computer Management from a remote computer and then
select "connect to other computer" to try and view the System and
Application logs to see if any pertinent problems can be found. If you can
not access the computer by it's name then try to use it's IP address. You
might be able to use netdom to fix domain related problems for your locked
out computer. I also assume you rebooted it after restoring the image. ---
Steve


"Adam Sandler" <corn29@excite.com> wrote in message
news:1103215290.928866.26690@f14g2000cwb.googlegroups.com...
> Steve, thanks for your reply.
>
> After the system was first built, the security folks applied a NSA
> tempate against it. It is very restrictive... almost to the point of
> making the box not usable if you ask me. At any rate, I then made and
> image of the final configuration. The system state at that time was an
> effective setting of only let domadmins log on locally.
>
> Now, fast forward to me recovering from image. For some reason the box
> isn't seeing the domain. Which shouldn't really be no big deal... but
> that does mean I cannot logon as a domadmin. But because of the
> image-captured, effective group policy setting, this box still believes
> it can only allow domadmins to log on locally.
>
> If I'm reading your post correctly, the solutions you suggest imply I
> have access to the desktop. I cannot get to the desktop because
> without the box recognizing the domain I cannot logon as domadmin and I
> cannot use any of the local accounts because they are prevented from
> doing so becuase of the GP. I'm not sure how telneting into the box
> would work because how would I access the Group Policy remotely? I
> have a linux boot disk which gives me access to SAM and the registry
> but I don't know if or where the GP for log on locally is located there.
>
Anonymous
a b 8 Security
December 17, 2004 1:12:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

IIRC at one version the NSA guide recommended that the
built-in Adminsitrator account be renamed.
It is very possible that you only need to know the correct
account - unless you have already verified that Administrator
does have network access. The next issue is whether the
image was configured with AD based GPO or whether the
NSA guidelines were applied to the local policies, in which
event use of the group policy snapin over the network should
let you loosen it enough for local login and domain dis/rejoin.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Adam Sandler" <corn29@excite.com> wrote in message
news:1103215290.928866.26690@f14g2000cwb.googlegroups.com...
> Steve, thanks for your reply.
>
> After the system was first built, the security folks applied a NSA
> tempate against it. It is very restrictive... almost to the point of
> making the box not usable if you ask me. At any rate, I then made and
> image of the final configuration. The system state at that time was an
> effective setting of only let domadmins log on locally.
>
> Now, fast forward to me recovering from image. For some reason the box
> isn't seeing the domain. Which shouldn't really be no big deal... but
> that does mean I cannot logon as a domadmin. But because of the
> image-captured, effective group policy setting, this box still believes
> it can only allow domadmins to log on locally.
>
> If I'm reading your post correctly, the solutions you suggest imply I
> have access to the desktop. I cannot get to the desktop because
> without the box recognizing the domain I cannot logon as domadmin and I
> cannot use any of the local accounts because they are prevented from
> doing so becuase of the GP. I'm not sure how telneting into the box
> would work because how would I access the Group Policy remotely? I
> have a linux boot disk which gives me access to SAM and the registry
> but I don't know if or where the GP for log on locally is located there.
>
!