Hi Steve,
Actually, with a parallel install, one can set a deny on the
%system32%\group policy folder (deny administrators) of
the other system, just like one does with access via a network
share mapping.
This prevents application during the admin login so that
they can then remove the deny and edit the policy to remove
the offending setting.
--
Roger
The link below shows two ways to do it but both require the help of
another
computer on the network.
http://www.jsiinc.com/SUBG/TIP3300/rh3361.htm
If you don't have another computer to help you, the only alternatives
I
know
are to install a parallel operating system to try and replace the
secedit.sdb file from the parallel installation. Otherwise you will
need
to
do a fresh install of the operating system - an upgrade install will
not
work if I remember correctly. What you could do is to reinstall the
operating system into the existing \winnt folder being sure NOT to
format
anything. You would follow the prompts to install the operating system
onto
the same drive and then the installation will warn you that an
existing
installation exists and ask if you want to install to the existing
\winnt
folder. When you select yes I believe you have to select L to proceed.
The advantage of this type of install is that your data and original
profiles will be preserved but all your applications [other then
Internet
Explorer] will have to be reinstalled, probably to existing locations
as
in
"on top" of themselves. You would then have to install the latest
service
pack and critical updates and find your old profile under documents
and
settings folder to copy your data, emails, etc. That could be a
lengthy
task
if you do not have a high speed internet connection and you would have
to
be
sure that a firewall protects your computer before connecting it to
the
internet. Also if you happen to have any EFS encrypted files they will
be
lost forever if you do not have a backup of your EFS private key used
to
encrypt the files in a .pfx file somewhere.
Otherwise try a parallel installation first though there is no
guarantee
that replacing secedit.sdb on the locked out install will work. The
upside
is that if it works, all your applications will still work and you
will
not
have to install service pack or critical updates and at the very least
you
will have access to your data, though you will probably need to take
"ownership" of the profile folders first as an administrator. To do
such
you
will need to boot from the cdrom drive and install a new copy of the
operating system, preferrably to another partition of your hard drive
and
do
NOT format a partition unless you are willing to lose all the data on
it.
See the link below for more info. Good luck. --- Steve
http://support.microsoft.com/kb/266465
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421 --
works
the
same in W2K.
I messed up while creating a user account for my kid and setting
permissions
in W2K Professional (SP-2 was last update) ... After reading article
ID
285793 on the subject, I think I know what I did wrong and how to
fix
it(I
accidentally set the "Deny logon locally" parameter). The
resolution
in
the
article however, assumes you can get logged on ... I can't get past
the
logon
screen. I tried lauching in safe mode and I tried using my W2K
startup
disc
w/CD support but neither way worked. Is there any way to bypass the
"applying local security policy" function when windows launches so
that
I
can
actually get logged on to fix my mistake?
Any help would be greatly appreciated.
Russ
