Sign in with
Sign up | Sign in
Your question

Local Login Policy/Effective Policy does not grant login, ..

Last response: in Windows 2000/NT
Share
March 31, 2005 1:59:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Windows 2000 server has local accounts and local user accounts are not able
to "Log on Locally".

The "Log on Locally" local rights exist, but they are overwritten by the
effective rights which are blank. As a result the local user is not able to
login to the computer.

The server was connected to a domain, but it was removed for trouble
shooting purposes.

I've been using 1.)secedit to refresh the security policy, 2.) gpresult to
view the group policies that are effective on the system, 3.) gpedit.msc to
view the local policy.

What can be done so that "Log on Locally" is granted to the local user
accounts?

Thanks,
Jim
Anonymous
a b 8 Security
April 1, 2005 3:35:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Check to make sure that the computer shows that it is no longer a member of
the domain but is instead in a workgroup. If that is the case and you are
having such problem it could be that the local secedit.sdb is corrupt. The
link below may be worth a try. The built in local administrator account
should be able to logon. You may first want to use the Security
Configuration and Analysis snapin to see what it reports for security
settings. If possible try to add users to the list of groups allowed to
logon locally if it does not contain that group currently and reboot the
computer. Any groups/users in deny logon locally will override logon locally
user right. --- Steve

http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm
http://www.microsoft.com/technet/prodtechnol/windows200...
--- how to use SCA tool.


"Jim" <Jim@discussions.microsoft.com> wrote in message
news:E86B0666-1543-489B-8768-860E968BD325@microsoft.com...
> Windows 2000 server has local accounts and local user accounts are not
> able
> to "Log on Locally".
>
> The "Log on Locally" local rights exist, but they are overwritten by the
> effective rights which are blank. As a result the local user is not able
> to
> login to the computer.
>
> The server was connected to a domain, but it was removed for trouble
> shooting purposes.
>
> I've been using 1.)secedit to refresh the security policy, 2.) gpresult to
> view the group policies that are effective on the system, 3.) gpedit.msc
> to
> view the local policy.
>
> What can be done so that "Log on Locally" is granted to the local user
> accounts?
>
> Thanks,
> Jim
April 1, 2005 10:51:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Tried by move the secedit.mdb but it was in use by another process. What
needs to be done to move the file?

"Steven L Umbach" wrote:

> Check to make sure that the computer shows that it is no longer a member of
> the domain but is instead in a workgroup. If that is the case and you are
> having such problem it could be that the local secedit.sdb is corrupt. The
> link below may be worth a try. The built in local administrator account
> should be able to logon. You may first want to use the Security
> Configuration and Analysis snapin to see what it reports for security
> settings. If possible try to add users to the list of groups allowed to
> logon locally if it does not contain that group currently and reboot the
> computer. Any groups/users in deny logon locally will override logon locally
> user right. --- Steve
>
> http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm
> http://www.microsoft.com/technet/prodtechnol/windows200...
> --- how to use SCA tool.
>
>
> "Jim" <Jim@discussions.microsoft.com> wrote in message
> news:E86B0666-1543-489B-8768-860E968BD325@microsoft.com...
> > Windows 2000 server has local accounts and local user accounts are not
> > able
> > to "Log on Locally".
> >
> > The "Log on Locally" local rights exist, but they are overwritten by the
> > effective rights which are blank. As a result the local user is not able
> > to
> > login to the computer.
> >
> > The server was connected to a domain, but it was removed for trouble
> > shooting purposes.
> >
> > I've been using 1.)secedit to refresh the security policy, 2.) gpresult to
> > view the group policies that are effective on the system, 3.) gpedit.msc
> > to
> > view the local policy.
> >
> > What can be done so that "Log on Locally" is granted to the local user
> > accounts?
> >
> > Thanks,
> > Jim
>
>
>
Anonymous
a b 8 Security
April 1, 2005 3:26:13 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You might try booting into safe mode to see if that helps. Also see the link
below on using esentutl to try to repair secedit.sdb. --- Steve

http://www.microsoft.com/resources/documentation/window...

"Jim" <Jim@discussions.microsoft.com> wrote in message
news:FFDD61B2-DA4F-4605-90D1-5EBE2118CA75@microsoft.com...
> Tried by move the secedit.mdb but it was in use by another process. What
> needs to be done to move the file?
>
> "Steven L Umbach" wrote:
>
>> Check to make sure that the computer shows that it is no longer a member
>> of
>> the domain but is instead in a workgroup. If that is the case and you are
>> having such problem it could be that the local secedit.sdb is corrupt.
>> The
>> link below may be worth a try. The built in local administrator account
>> should be able to logon. You may first want to use the Security
>> Configuration and Analysis snapin to see what it reports for security
>> settings. If possible try to add users to the list of groups allowed to
>> logon locally if it does not contain that group currently and reboot the
>> computer. Any groups/users in deny logon locally will override logon
>> locally
>> user right. --- Steve
>>
>> http://www.jsifaq.com/SUBH/TIP3500/rh3561.htm
>> http://www.microsoft.com/technet/prodtechnol/windows200...
>> --- how to use SCA tool.
>>
>>
>> "Jim" <Jim@discussions.microsoft.com> wrote in message
>> news:E86B0666-1543-489B-8768-860E968BD325@microsoft.com...
>> > Windows 2000 server has local accounts and local user accounts are not
>> > able
>> > to "Log on Locally".
>> >
>> > The "Log on Locally" local rights exist, but they are overwritten by
>> > the
>> > effective rights which are blank. As a result the local user is not
>> > able
>> > to
>> > login to the computer.
>> >
>> > The server was connected to a domain, but it was removed for trouble
>> > shooting purposes.
>> >
>> > I've been using 1.)secedit to refresh the security policy, 2.) gpresult
>> > to
>> > view the group policies that are effective on the system, 3.)
>> > gpedit.msc
>> > to
>> > view the local policy.
>> >
>> > What can be done so that "Log on Locally" is granted to the local user
>> > accounts?
>> >
>> > Thanks,
>> > Jim
>>
>>
>>
!