Question about Log on Locally Policy.

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

This thread is about a W2K member server.

I had to recover from a failure on one of my domain's boxes the other
day. I reloaded the image I had of the fully configured box. What I
forgot to realize is the security guys went through and changed whio
can log on locally...

After the image was sucessfully restored, I tried to logon to the
domain but got a message the domain wasn't available.

So I then tried to log on as the local admin and got the error stating
the policy of the machine does not permit interactive logon.

So it looks like I'm stuck... I cannot contact the domain and I cannot
logon with a local account because the image captured the effective
setting from the DC regarding who can and cannot log on locally.

I do have a offline registry editor program but I have no idea if this
policy is even stored in the registry... does anyone know?
Are there any other tools that could help me out too?

Thanks!!!
4 answers Last reply
More about question locally policy
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve, thanks for your reply.

    After the system was first built, the security folks applied a NSA
    tempate against it. It is very restrictive... almost to the point of
    making the box not usable if you ask me. At any rate, I then made and
    image of the final configuration. The system state at that time was an
    effective setting of only let domadmins log on locally.

    Now, fast forward to me recovering from image. For some reason the box
    isn't seeing the domain. Which shouldn't really be no big deal... but
    that does mean I cannot logon as a domadmin. But because of the
    image-captured, effective group policy setting, this box still believes
    it can only allow domadmins to log on locally.

    If I'm reading your post correctly, the solutions you suggest imply I
    have access to the desktop. I cannot get to the desktop because
    without the box recognizing the domain I cannot logon as domadmin and I
    cannot use any of the local accounts because they are prevented from
    doing so becuase of the GP. I'm not sure how telneting into the box
    would work because how would I access the Group Policy remotely? I
    have a linux boot disk which gives me access to SAM and the registry
    but I don't know if or where the GP for log on locally is located there.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Interesting as by default administrators group has logon locally user right.
    The easiest thing to try would be to use ntrights to add the administrators
    to the logon locally user right. Not knowing if there are entries in the
    deny logon locally user right and the fact that it may have overriding
    policy from the domain can complicate things. If you can access the computer
    via an administrative share you may have a good change to correct things and
    them you might be able to use Computer Management to remotely view it's
    Event Viewer. If can not even access an administrative share, your changes
    of correcting things are not good. Assuming you can, you could also use
    psexec from SysInternals to access the command prompt on that computer to
    check network configuration, run netdiag, etc. Netdom might be used to try
    and join the computer to the domain or repair the secure channel. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;266280 -- note that
    the user right is case sensitive in the command
    http://www.petri.co.il/download_free_reskit_tools.htm --- Ntrights
    available here
    http://www.sysinternals.com/ntw2k/freeware/psexec.shtml -- Psexec.
    http://support.microsoft.com/kb/216393/EN-US/ -- netdom info

    "Adam Sandler" <corn29@excite.com> wrote in message
    news:1103208561.753609.225590@z14g2000cwz.googlegroups.com...
    > Hello,
    >
    > This thread is about a W2K member server.
    >
    > I had to recover from a failure on one of my domain's boxes the other
    > day. I reloaded the image I had of the fully configured box. What I
    > forgot to realize is the security guys went through and changed whio
    > can log on locally...
    >
    > After the image was sucessfully restored, I tried to logon to the
    > domain but got a message the domain wasn't available.
    >
    > So I then tried to log on as the local admin and got the error stating
    > the policy of the machine does not permit interactive logon.
    >
    > So it looks like I'm stuck... I cannot contact the domain and I cannot
    > logon with a local account because the image captured the effective
    > setting from the DC regarding who can and cannot log on locally.
    >
    > I do have a offline registry editor program but I have no idea if this
    > policy is even stored in the registry... does anyone know?
    > Are there any other tools that could help me out too?
    >
    > Thanks!!!
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    I understand that you can not logon locally. I was suggesting methods that
    might be able to be used remotely such as using Ntrights from another
    computer on the network for which you would have to create an account so
    that you can logon to the remote computer with username/password that is the
    built in administrator account on the locked out machine. Hopefully you can
    do that. If you can you can do all those tasks I suggested remotely
    including using psexec to check the tcp/ip configuration [such as incorrect
    dns server] and running netdiag that might explain why you are having a
    problem with the domain controller such as a dns or secure channel problem.
    I would also try using Computer Management from a remote computer and then
    select "connect to other computer" to try and view the System and
    Application logs to see if any pertinent problems can be found. If you can
    not access the computer by it's name then try to use it's IP address. You
    might be able to use netdom to fix domain related problems for your locked
    out computer. I also assume you rebooted it after restoring the image. ---
    Steve


    "Adam Sandler" <corn29@excite.com> wrote in message
    news:1103215290.928866.26690@f14g2000cwb.googlegroups.com...
    > Steve, thanks for your reply.
    >
    > After the system was first built, the security folks applied a NSA
    > tempate against it. It is very restrictive... almost to the point of
    > making the box not usable if you ask me. At any rate, I then made and
    > image of the final configuration. The system state at that time was an
    > effective setting of only let domadmins log on locally.
    >
    > Now, fast forward to me recovering from image. For some reason the box
    > isn't seeing the domain. Which shouldn't really be no big deal... but
    > that does mean I cannot logon as a domadmin. But because of the
    > image-captured, effective group policy setting, this box still believes
    > it can only allow domadmins to log on locally.
    >
    > If I'm reading your post correctly, the solutions you suggest imply I
    > have access to the desktop. I cannot get to the desktop because
    > without the box recognizing the domain I cannot logon as domadmin and I
    > cannot use any of the local accounts because they are prevented from
    > doing so becuase of the GP. I'm not sure how telneting into the box
    > would work because how would I access the Group Policy remotely? I
    > have a linux boot disk which gives me access to SAM and the registry
    > but I don't know if or where the GP for log on locally is located there.
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    IIRC at one version the NSA guide recommended that the
    built-in Adminsitrator account be renamed.
    It is very possible that you only need to know the correct
    account - unless you have already verified that Administrator
    does have network access. The next issue is whether the
    image was configured with AD based GPO or whether the
    NSA guidelines were applied to the local policies, in which
    event use of the group policy snapin over the network should
    let you loosen it enough for local login and domain dis/rejoin.

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "Adam Sandler" <corn29@excite.com> wrote in message
    news:1103215290.928866.26690@f14g2000cwb.googlegroups.com...
    > Steve, thanks for your reply.
    >
    > After the system was first built, the security folks applied a NSA
    > tempate against it. It is very restrictive... almost to the point of
    > making the box not usable if you ask me. At any rate, I then made and
    > image of the final configuration. The system state at that time was an
    > effective setting of only let domadmins log on locally.
    >
    > Now, fast forward to me recovering from image. For some reason the box
    > isn't seeing the domain. Which shouldn't really be no big deal... but
    > that does mean I cannot logon as a domadmin. But because of the
    > image-captured, effective group policy setting, this box still believes
    > it can only allow domadmins to log on locally.
    >
    > If I'm reading your post correctly, the solutions you suggest imply I
    > have access to the desktop. I cannot get to the desktop because
    > without the box recognizing the domain I cannot logon as domadmin and I
    > cannot use any of the local accounts because they are prevented from
    > doing so becuase of the GP. I'm not sure how telneting into the box
    > would work because how would I access the Group Policy remotely? I
    > have a linux boot disk which gives me access to SAM and the registry
    > but I don't know if or where the GP for log on locally is located there.
    >
Ask a new question

Read More

Policy Domain Security Windows