Local Login Policy/Effective Policy does not grant login, ..

Archived from groups: microsoft.public.win2000.security (More info?)

Windows 2000 server has local accounts and local user accounts are not able
to "Log on Locally".

The "Log on Locally" local rights exist, but they are overwritten by the
effective rights which are blank. As a result the local user is not able to
login to the computer.

The server was connected to a domain, but it was removed for trouble
shooting purposes.

I've been using 1.)secedit to refresh the security policy, 2.) gpresult to
view the group policies that are effective on the system, 3.) gpedit.msc to
view the local policy.

What can be done so that "Log on Locally" is granted to the local user
accounts?

Thanks,
Jim
3 answers Last reply
More about local login policy effective policy grant login
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Check to make sure that the computer shows that it is no longer a member of
    the domain but is instead in a workgroup. If that is the case and you are
    having such problem it could be that the local secedit.sdb is corrupt. The
    link below may be worth a try. The built in local administrator account
    should be able to logon. You may first want to use the Security
    Configuration and Analysis snapin to see what it reports for security
    settings. If possible try to add users to the list of groups allowed to
    logon locally if it does not contain that group currently and reboot the
    computer. Any groups/users in deny logon locally will override logon locally
    user right. --- Steve

    http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx
    --- how to use SCA tool.


    "Jim" <Jim@discussions.microsoft.com> wrote in message
    news:E86B0666-1543-489B-8768-860E968BD325@microsoft.com...
    > Windows 2000 server has local accounts and local user accounts are not
    > able
    > to "Log on Locally".
    >
    > The "Log on Locally" local rights exist, but they are overwritten by the
    > effective rights which are blank. As a result the local user is not able
    > to
    > login to the computer.
    >
    > The server was connected to a domain, but it was removed for trouble
    > shooting purposes.
    >
    > I've been using 1.)secedit to refresh the security policy, 2.) gpresult to
    > view the group policies that are effective on the system, 3.) gpedit.msc
    > to
    > view the local policy.
    >
    > What can be done so that "Log on Locally" is granted to the local user
    > accounts?
    >
    > Thanks,
    > Jim
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Tried by move the secedit.mdb but it was in use by another process. What
    needs to be done to move the file?

    "Steven L Umbach" wrote:

    > Check to make sure that the computer shows that it is no longer a member of
    > the domain but is instead in a workgroup. If that is the case and you are
    > having such problem it could be that the local secedit.sdb is corrupt. The
    > link below may be worth a try. The built in local administrator account
    > should be able to logon. You may first want to use the Security
    > Configuration and Analysis snapin to see what it reports for security
    > settings. If possible try to add users to the list of groups allowed to
    > logon locally if it does not contain that group currently and reboot the
    > computer. Any groups/users in deny logon locally will override logon locally
    > user right. --- Steve
    >
    > http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm
    > http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx
    > --- how to use SCA tool.
    >
    >
    > "Jim" <Jim@discussions.microsoft.com> wrote in message
    > news:E86B0666-1543-489B-8768-860E968BD325@microsoft.com...
    > > Windows 2000 server has local accounts and local user accounts are not
    > > able
    > > to "Log on Locally".
    > >
    > > The "Log on Locally" local rights exist, but they are overwritten by the
    > > effective rights which are blank. As a result the local user is not able
    > > to
    > > login to the computer.
    > >
    > > The server was connected to a domain, but it was removed for trouble
    > > shooting purposes.
    > >
    > > I've been using 1.)secedit to refresh the security policy, 2.) gpresult to
    > > view the group policies that are effective on the system, 3.) gpedit.msc
    > > to
    > > view the local policy.
    > >
    > > What can be done so that "Log on Locally" is granted to the local user
    > > accounts?
    > >
    > > Thanks,
    > > Jim
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    You might try booting into safe mode to see if that helps. Also see the link
    below on using esentutl to try to repair secedit.sdb. --- Steve

    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scetroubletn.mspx

    "Jim" <Jim@discussions.microsoft.com> wrote in message
    news:FFDD61B2-DA4F-4605-90D1-5EBE2118CA75@microsoft.com...
    > Tried by move the secedit.mdb but it was in use by another process. What
    > needs to be done to move the file?
    >
    > "Steven L Umbach" wrote:
    >
    >> Check to make sure that the computer shows that it is no longer a member
    >> of
    >> the domain but is instead in a workgroup. If that is the case and you are
    >> having such problem it could be that the local secedit.sdb is corrupt.
    >> The
    >> link below may be worth a try. The built in local administrator account
    >> should be able to logon. You may first want to use the Security
    >> Configuration and Analysis snapin to see what it reports for security
    >> settings. If possible try to add users to the list of groups allowed to
    >> logon locally if it does not contain that group currently and reboot the
    >> computer. Any groups/users in deny logon locally will override logon
    >> locally
    >> user right. --- Steve
    >>
    >> http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm
    >> http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx
    >> --- how to use SCA tool.
    >>
    >>
    >> "Jim" <Jim@discussions.microsoft.com> wrote in message
    >> news:E86B0666-1543-489B-8768-860E968BD325@microsoft.com...
    >> > Windows 2000 server has local accounts and local user accounts are not
    >> > able
    >> > to "Log on Locally".
    >> >
    >> > The "Log on Locally" local rights exist, but they are overwritten by
    >> > the
    >> > effective rights which are blank. As a result the local user is not
    >> > able
    >> > to
    >> > login to the computer.
    >> >
    >> > The server was connected to a domain, but it was removed for trouble
    >> > shooting purposes.
    >> >
    >> > I've been using 1.)secedit to refresh the security policy, 2.) gpresult
    >> > to
    >> > view the group policies that are effective on the system, 3.)
    >> > gpedit.msc
    >> > to
    >> > view the local policy.
    >> >
    >> > What can be done so that "Log on Locally" is granted to the local user
    >> > accounts?
    >> >
    >> > Thanks,
    >> > Jim
    >>
    >>
    >>
Ask a new question

Read More

Policy Login Security Windows