Whew! Where to begin. The machine in question is the lone
DC in a single AD domain. I do have another server that I
work on that is beiing replicated to though(I think). All
the other machines can be logged into. I have tried
several other accounts on the DC and none of them will log
in. I first noticed the problem over the past weekend when
I tried to connect from home via term. serv's. The
same "interactive logging" message. I believe the GPO that
I screwed with was the one for the DC's as the one for the
domain is and has been disabled for some time. I have been
able to connect to the AD users & computers through my PC
(server #2)and the log on locally has all the users and
groups that I believe are necessary. The program that
precipitated this with the GPO was a mail/spam app that
wouldn't start it's engine so I thought that the log on
parameters were the place to go. I have since uninstalled
the app, which BTW was never on the DC. So are you saying
that with the SeInteractiveLogonRight app, I just need to
change to the directory in which it resides on a
workstation and do a path as spelled out to the affected
server over the network?? OK, I just tried that and it
obviously went through it's process and returned to the
prompt. I tried logging in to the server and still got the
same message. I may have also changed something inside
the control panel>administrative tools>local security
setings on the effected server and for sure on server #2
(where the P.O.S. application had been installed). I had
to change the default policy from the #2 server to the
domain from within the drop-down list box at the top of
the window. Would changes made on a sever that is being
replicated to, replicate back to the DC?
I'm at my wits end on this. Any other suggestions would be
greatly appreciated.
Dave
-----Original Message-----
Dave
If your saying you cannot logon to anything in the domain
that is another
story with a whole lot of different questions attached
you state Server in
the subject but
is this server a DC or Member server, is it the only DC,
what group policy
was changed, what changes were made to that policy
etc etc.....
You will have to say if this is the case and the
questions will start from
there.
else I am assuming that your talking 1 server affected
under a GPO change
and the SeInteractiveLoginRight has been removed from
some group such as
Administrators or Everyone (quite common that's why Joe
did the tool) and
you have workstation access with network access or
another server to login
to.
If this is the case then you just point the exe at the
problem machine and
input the details.
(Hint Try a local admin account on a machine if the
domain account cannot
login, then run the cmd prompt using "run as" and input
your domain account
details)
(Hint 2 is it a server in remote admin mode then try TS
connection to the
server and login that way, if you normally TS on for
access then try the
console.)
So say server 1 is the problem in domain 1 for admin1 and
he gets the error
trying to logon
open a command prompt on a workstation on the domain that
has network access
SeInteractiveLogonRight domain1\admin1 server1
You can do the same with NTRights.exe as well from the
resource kit except
this has access to other settings.
Help details from the Exe
SeInteractiveLogonRight V00.10.00cpp (e-mail address removed)
September 2001
Usage: sEINTERACTIVELOGONRIGHT <[DOMAIN\] Account>
[TargetMachine]
Will set SeInteractiveLogonRight for account on
targetmachine
Will clear SeDenyInteractiveLogonRight for
account on targetmachine
Will remove Everyone well known group from
SeDenyInteractiveLogonRight on targetmachine
Example: sEINTERACTIVELOGONRIGHT
joehome\$jricha34 pro2
If this is not the case then post back with some specific
details on the
situation, the lists are good but my crystal ball is on
the blink at the
moment with a hardware error ;-)
hth
Steve
Code based off of MSDN Library code LSAPRIV
message
Thanks, but how do I "use" it? It's a little exe that
apparently must be run in a windows environment. If I
can't logon, how do I do that?
Dave
-----Original Message-----
Go here
http://www.joeware.net/win32/index.html
download the SeInteractiveLogonRight from the win32 c++
tools page have a
read then run it and your good to go
rgds
Steve
message
Restart the computer into DS restore mode. Try to
change local GPO, or try
to change it from another computer.
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"Dave W" <
[email protected]> skrev
i
meddelandet
Some changes were made to group policy several days
ago
and something musta got screwed up because I cannot
log
back in now that I have logged out. I get the
following
message after the failed login: "the local policy
of
this
system does not permit you to logon interactively"
Is there anything that I can do?
.
.
