Sign in with
Sign up | Sign in
Your question

Question about Log on Locally Policy.

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
July 5, 2005 4:02:16 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Is the log on locally policy stored anywhere in the registry? So that
if I were to delete that value, it would be the same as not enabling
log on locally in the first place?

Thanks!
Anonymous
a b 8 Security
July 5, 2005 9:02:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It is stored as part of security policy applied to that computer. What
exactly is your goal?? --- Steve


"Adam Sandler" <corn29@excite.com> wrote in message
news:1120587596.482670.59810@f14g2000cwb.googlegroups.com...
> Is the log on locally policy stored anywhere in the registry? So that
> if I were to delete that value, it would be the same as not enabling
> log on locally in the first place?
>
> Thanks!
>
Anonymous
a b 8 Security
July 6, 2005 1:03:37 PM

Archived from groups: microsoft.public.win2000.security (More info?)

> What exactly is your goal??

I have honest intentions.

I'm trying to log on to a box restored from image. It keeps giving me
the error cannot log on to domain because computer account is missing.
I cannot log on locally either. I know I'm authenticating because if
the password was wrong, I'd get a different error. Attempts to solve
this problem via nltest or netdom have failed as well. If I know where
the setting for log on locally is at in the registry, I could use
something like chntpw from Knoppix to edit the policy, gain access to
the desktop, and then rejoin the domain.

Steven L Umbach wrote:
> It is stored as part of security policy applied to that computer. What
> exactly is your goal?? --- Steve
>
>
> "Adam Sandler" <corn29@excite.com> wrote in message
> news:1120587596.482670.59810@f14g2000cwb.googlegroups.com...
> > Is the log on locally policy stored anywhere in the registry? So that
> > if I were to delete that value, it would be the same as not enabling
> > log on locally in the first place?
> >
> > Thanks!
> >
Related resources
Anonymous
a b 8 Security
July 6, 2005 3:47:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Steve, thanks for your reply... I have quite a few inline comments
below. I do appreciate the time you spent putting such a comprehensive
reply together.

> To answer your question I don't know or have ever
> heard of a way to fix such via the registry.

I understand... I'm not really looking for a fix to the problem. I
would just like to know if the group policy is stored in the registry
and if it is what is the location. I'm confident I can carry on from
there... and I'm not trying to be a cowboy administrator here; there is
a method to my madness as you will discover after reading some of my
comments.

> One thing to try is the tip
> from JSI at the link below but there is no guarantee that it will work and
> it might be best to copy a secedit.sdb from a non domain computer.
>
> http://www.jsifaq.com/subG/TIP3300/rh3361.htm

This does not work. The so-called missing computer account appears to
be causing communication problems. As far as communication goes, I can
only ping the box. I cannot see it from other computers' My Network
Places and using the UNC from the Explorer fails too. If I do a net
view \\db1 from command line, that fails with error code 5.

> I assume you can not logon with a local account because you get an error
> about not having the right to logon locally. If the problem is you don't
> know the local administrator password there are free utilities to reset such
> or you can rename the sam file in \winnt\system32\config from outside the
> operating system which will cause a new sam to be generated at reboot with
> only default users/groups and a blank password for the built in
> administrator account.

I indeed know the local administrator password. If my understanding is
correct, providing a bad password generates a different error.
Providing a good password generates the error the policy of this system
does not permit you to logon interactively.

> Assuming the problem is that local users lack logon locally user right
> [possibly it exists only for domain users?] you could try to use ntrights to
> grant "users" logon locally if you can connect to the computer over the
> network via the local built in administrator account.

Looking at other machines which I can access, the effective policy
setting for logon locally is Administrators, domain\Domain Users, and
domain\Domain Admins (I wish I could set that differently but company
policy dictates this setting and I have tried to get it changed for a
few years now). However, since I cannot connect to the problem
machine, ntrights isn't much of a help.

> You also could try using netdom to remove the computer from the domain and
> see if that allows you to logon locally.

I tried that already... is there a force option? Using netdom to
remove the computer form the domain implies the computer account is up
to begin with. If I cannot communicate with the problem box, then when
netdom tries to go out and touch AD, it fails.
Anonymous
a b 8 Security
July 6, 2005 4:06:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. That helps a lot. To answer your question I don't know or have ever
heard of a way to fix such via the registry. One thing to try is the tip
from JSI at the link below but there is no guarantee that it will work and
it might be best to copy a secedit.sdb from a non domain computer.

http://www.jsifaq.com/subG/TIP3300/rh3361.htm

I assume you can not logon with a local account because you get an error
about not having the right to logon locally. If the problem is you don't
know the local administrator password there are free utilities to reset such
or you can rename the sam file in \winnt\system32\config from outside the
operating system which will cause a new sam to be generated at reboot with
only default users/groups and a blank password for the built in
administrator account.

http://www.petri.co.il/forgot_administrator_password.ht...

Assuming the problem is that local users lack logon locally user right
[possibly it exists only for domain users?] you could try to use ntrights to
grant "users" logon locally if you can connect to the computer over the
network via the local built in administrator account. See the links below
about ntrights and FYI much of the syntax for ntrights is case sensitive.
You also could try using netdom to remove the computer from the domain and
see if that allows you to logon locally. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;315276
http://www.petri.co.il/download_free_reskit_tools.htm --- download
ntrights here if you need it.

ntrights -m \\computer -u users +r SeInteractiveLogonRight [this command
may work using actual computer name while logged onto a network computer
with an account that has same logon/password as local administrator on
locked out computer]

"Adam Sandler" <corn29@excite.com> wrote in message
news:1120665817.523835.138470@z14g2000cwz.googlegroups.com...
>> What exactly is your goal??
>
> I have honest intentions.
>
> I'm trying to log on to a box restored from image. It keeps giving me
> the error cannot log on to domain because computer account is missing.
> I cannot log on locally either. I know I'm authenticating because if
> the password was wrong, I'd get a different error. Attempts to solve
> this problem via nltest or netdom have failed as well. If I know where
> the setting for log on locally is at in the registry, I could use
> something like chntpw from Knoppix to edit the policy, gain access to
> the desktop, and then rejoin the domain.
>
> Steven L Umbach wrote:
>> It is stored as part of security policy applied to that computer. What
>> exactly is your goal?? --- Steve
>>
>>
>> "Adam Sandler" <corn29@excite.com> wrote in message
>> news:1120587596.482670.59810@f14g2000cwb.googlegroups.com...
>> > Is the log on locally policy stored anywhere in the registry? So that
>> > if I were to delete that value, it would be the same as not enabling
>> > log on locally in the first place?
>> >
>> > Thanks!
>> >
>
Anonymous
a b 8 Security
July 7, 2005 7:12:41 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hmm. Your situation does not sound good if you can only ping that box. That
removes the best options for recovery. As far as trying to replace
secedit.sdb [which may not work anyhow] you could try such by placing the
hard drive in another computer as a secondary drive or by booting from a
cdrom with something like Bart's PE.

http://www.nu2.nu/pebuilder/

From what I know there is no registry entry that can be modified to correct
your situation. Security options are stored in the registry but user rights
are not. --- Steve


"Adam Sandler" <corn29@excite.com> wrote in message
news:1120675675.521941.10470@g44g2000cwa.googlegroups.com...
> Steve, thanks for your reply... I have quite a few inline comments
> below. I do appreciate the time you spent putting such a comprehensive
> reply together.
>
>> To answer your question I don't know or have ever
>> heard of a way to fix such via the registry.
>
> I understand... I'm not really looking for a fix to the problem. I
> would just like to know if the group policy is stored in the registry
> and if it is what is the location. I'm confident I can carry on from
> there... and I'm not trying to be a cowboy administrator here; there is
> a method to my madness as you will discover after reading some of my
> comments.
>
>> One thing to try is the tip
>> from JSI at the link below but there is no guarantee that it will work
>> and
>> it might be best to copy a secedit.sdb from a non domain computer.
>>
>> http://www.jsifaq.com/subG/TIP3300/rh3361.htm
>
> This does not work. The so-called missing computer account appears to
> be causing communication problems. As far as communication goes, I can
> only ping the box. I cannot see it from other computers' My Network
> Places and using the UNC from the Explorer fails too. If I do a net
> view \\db1 from command line, that fails with error code 5.
>
>> I assume you can not logon with a local account because you get an error
>> about not having the right to logon locally. If the problem is you don't
>> know the local administrator password there are free utilities to reset
>> such
>> or you can rename the sam file in \winnt\system32\config from outside the
>> operating system which will cause a new sam to be generated at reboot
>> with
>> only default users/groups and a blank password for the built in
>> administrator account.
>
> I indeed know the local administrator password. If my understanding is
> correct, providing a bad password generates a different error.
> Providing a good password generates the error the policy of this system
> does not permit you to logon interactively.
>
>> Assuming the problem is that local users lack logon locally user right
>> [possibly it exists only for domain users?] you could try to use ntrights
>> to
>> grant "users" logon locally if you can connect to the computer over the
>> network via the local built in administrator account.
>
> Looking at other machines which I can access, the effective policy
> setting for logon locally is Administrators, domain\Domain Users, and
> domain\Domain Admins (I wish I could set that differently but company
> policy dictates this setting and I have tried to get it changed for a
> few years now). However, since I cannot connect to the problem
> machine, ntrights isn't much of a help.
>
>> You also could try using netdom to remove the computer from the domain
>> and
>> see if that allows you to logon locally.
>
> I tried that already... is there a force option? Using netdom to
> remove the computer form the domain implies the computer account is up
> to begin with. If I cannot communicate with the problem box, then when
> netdom tries to go out and touch AD, it fails.
>
Anonymous
a b 8 Security
July 7, 2005 3:35:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for your time and help!
Anonymous
a b 8 Security
July 7, 2005 5:57:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Adam Sandler" wrote:

> I indeed know the local administrator password. If my understanding is
> correct, providing a bad password generates a different error.
> Providing a good password generates the error the policy of this system
> does not permit you to logon interactively.

Hi Adam,

Have you tried logging onto this machine in safe mode? I suggest you try
that and then modify the local policy to add logon locally right to whatever
account you want.

Hope this solves your problem.

--
Umit AKKUS

This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
a b 8 Security
July 8, 2005 2:23:36 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Safe mode will not offer a user a way to skirt around user rights.
Also, since I'm restoring from image and the domain security settings
got captured as a part of the image, the effective setting for the log
on locally right is in place and will override any changes to the local
setting anyway.

I was able to us BartPE to get access to the system and make changes
there.

Umit AKKUS [MSFT] wrote:
> "Adam Sandler" wrote:
>
> > I indeed know the local administrator password. If my understanding is
> > correct, providing a bad password generates a different error.
> > Providing a good password generates the error the policy of this system
> > does not permit you to logon interactively.
>
> Hi Adam,
>
> Have you tried logging onto this machine in safe mode? I suggest you try
> that and then modify the local policy to add logon locally right to whatever
> account you want.
>
> Hope this solves your problem.
>
> --
> Umit AKKUS
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
!