Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Interactive Logon - Admin removed!

Status
Not open for further replies.
Stevehewitt

Stevehewitt

IS-IT--Management
Jun 7, 2001
2,075
GB
Hi All,

I am the network admin in a development company, and one of our development SQL servers is having 'issues'. I mention this as it means devs have local admin rights on the server.

As the only domain admin, I tried to logon to the server, both locally and over RDP. I get the error:

"The local policy of this system does not allow you to logon locally"

Nobody seems to be able to logon at all. This includes the developers as well as various domain admin accounts.

How can check and modify the local GPO on the server without having to logon to it? (I have tried a MMC remotely but it didn't show any of the security policies, just admin and software policies)

Thanks in advance!




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Sort by date Sort by votes
What type of domain is this in?

Easiest way is to set a policy at an OU, drag the computer object into the OU (do this on the DC)..set the following (this will just get you into the box, most likely, you will need to reset most user rights assignments...):


computer config\windows settings\security settings\local policies\user rights assignment

allow logon locally: administrators; domain admins; power users; users; backup operators; SYSTEM
allow logon through terminal services: same as above except SYSTEM does not need to be there...

ensure deny logon locally and deny logon through terminal services have only a SID looking account there, if anything (this is the remote desktop support group or something like that)...

hard boot the system...attempt login

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.
 
Upvote 0 Downvote
Thanks Brandon,

Should have posted back sooner, but ended up cheating!

As it's a 2000 server (in a 2003 domain) I telnet'ed, ran secedit /export and dumped the user rights assignments. Used user2sid and found out that the only user with logon rights was IUSR_SERVERNAME!!!
Gave local admin via MMC, reset password and logged on. Changed local GPO back to correct settings and sorted IUSR back to it's secure shape - and volia!

One of those web developers is going to get their password changed to something bloody nasty tomorrow morning...! ;-)

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
cool glad to hear it :)

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
358
ADB100
ADB100
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
943
goombawaho
goombawaho
shmoes
  • Locked
  • Question
Delegating file admin permission
Replies
3
Views
288
SamBones
SamBones
Till
  • Locked
  • Question
Domain Admin Login Mail Notification
Replies
1
Views
316
technome
technome
DrB0b
  • Locked
  • Question
RDWeb server getting hit with odd logon requests....
Replies
1
Views
334
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top