Announcement

Collapse
No announcement yet.

locked out of server - help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • locked out of server - help

    Ok, I had a domain controller at our office doing file/print for about 10 staff.

    this has now died and I have started fresh with a new domain.

    2 days before my original domain controller died I added a number of web servers to the domain which are hosted off site (vpn'd)

    the day my domain controller died a number of the laptops in the office couldnt log onto the domain and would get a "the local policy of this sytem does not allow you to logon interactively"

    I wasnt sure what was happening at the time so I just got staff to log on locally. anyway, the dc died that night and ive rebuilt a new one.

    I know I was fiddling with GPO, as staff said they couldnt log on away from the office, so I was looking for something like "allow clients to connect for 8 days without DC present" or similar! but yeah, anythings possible and I could have set some sort of restriction.

    anyway I didnt think much of it at the time as the AD database shat itself and couldnt be restored so I started rebuilding..

    now all the desktops/laptops are back on - file/print services are restored. sweet... I thought.. so I went to log on to my server, to remove them from the old domain and add them to the new. I have 2 windows 2000 web servers, I can log on to one using its local admin account, but the second one gives me a "the local policy of this sytem does not allow you to logon interactively"

    I tried to logon as the domain admin of the previous domain but then it says "the domain is not available"

    I found a tool: http://www.jsifaq.com/subo/tip7200/rh7259.htm
    "Joe wrote this application "for a guy in UseNet who got locked out of a workstation after messing with local policy. It will set the SeInteractiveLogonRight and clear the SeDenyInteractiveLogonRight privileges for whatever ID is specified on whatever machine it is specified on and the Everyone well known group.""

    But I run this tool and it says:
    GetAccountSid error!
    No mapping between account names and security IDs was done.


    So how do I get back in?? Any ideas? I cant log on locally - and I cant logon with the previous domain admin account

  • #2
    Wow sounds like you're really screwed. You probably added all local accounts to the GPO for the local security policy to "Deny Logon Locally" or removed all local accounts from "Logon Locally".

    From the error message it sounds like the local account you've attempted to alter is either not present or may be locked out.

    Try and unlock the account to see if it helps.

    Read this...

    http://www.petri.com/forgot_administrator_password.htm

    The Offline NT Password & Registry Editor can unlock local accounts.

    Good luck.
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      ok ive got an ebcd disk - but I was thinking it would only reset the password - not change any of the permissions for the admin account or reset the 'denylogonlocally' setting.

      the weird thing is, the 2 servers I added to the domain, only one is locked out, I can log onto the other one fine using the local admin account. so I would have thought if it was GPO (which it has to be??) it would be for both.

      Comment


      • #4
        ok on my new DC, im not touching denylogonlocally

        I will just set a good local password so they cant logon locally

        quick question though, the "number of previous logons to cache" setting

        if my domain controller is unavailable that specifies the amount of times you can logon before your account is suspended?

        most staff are on lappies and are out of the office constantly, so they need to be able to 'logon to the domain' when the DC is unavailable

        Comment


        • #5
          Originally posted by hammo
          ok on my new DC, im not touching denylogonlocally

          I will just set a good local password so they cant logon locally

          quick question though, the "number of previous logons to cache" setting

          if my domain controller is unavailable that specifies the amount of times you can logon before your account is suspended?
          Yes, its the number of time you can logon before the locally cached information expires. At which point you'd need the DC to logon.

          Originally posted by Windows 2000 Resource Kit Documentation
          Number of previous logons to cache (in case domain controller is not available)
          Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

          Description
          Determines the number of user logons to a Windows domain that are cached.

          Windows 2000 caches previous users' logon information locally so that they will be able to log on in the event that a domain controller is unavailable during subsequent logon attempts. If a domain controller is unavailable and a user's logon information is cached, the user will be prompted with a dialog that reads:

          A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.

          If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:

          The system cannot log you on now because the domain <DOMAIN_NAME> is not available.

          In this policy setting, a value of 0 disables logon caching. Any value above 50 will only cache 50 logon attempts. For servers, this policy is defined by default in Local Computer Policy and the default value is 10 logons.
          Andrew

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Thanks Andrew!

            Comment


            • #7
              Trick

              The trick is to log on with console mode, copy the %systemroot%\repair\security (or from another machine) into \system32\config\ and reboot the machine.
              Now you should be able to bypass the login restriction.

              Comment

              Working...
              X