logon fails, interactive logon

[Justice]

I have put the administrator group into the domain
controller security option 'deny local logon'.

Now I cannot logon on my windows 2000 domain controller
and after a restore the same problem exist.

What should I do to diable this rights from the doain
controller scurity option or how i can access the computer
with another user as administrator.

greets, justice

 

[Miha Pihler]

Hi Justice,

run following command on your TS Server...

NET ACCOUNTS /FORCELOGOFF:5

(where 5 defines 5 minutes after logon hours expire) ...

http://www.microsoft.com/technet/tr...rodtechnol/winxppro/proddocs/net_accounts.asp

 

[Miha Pihler]

Sorry, wrong reply

Mike

Hi Justice,

run following command on your TS Server...

NET ACCOUNTS /FORCELOGOFF:5

(where 5 defines 5 minutes after logon hours expire) ...

http://www.microsoft.com/technet/tr...rodtechnol/winxppro/proddocs/net_accounts.asp

 

[Justice]

I have disable the logon for network logon for this
server. With an other client I cannot access my server!

 

[Justice]

After a backup I receive the error message that the
directory service cannot be started. Now i loose the
connection to the server...

What now!

 

[Steven L Umbach]

Well, then you can try to manually edit the GptTmpl.inf file of the
domain controller offline as described in the KB article link. --- Steve

http://support.microsoft.com/?kbid=267553

 

[Steven L Umbach]

Backup what? Where is the message displayed? What exactly did the
message say? Do you have a recent backup of the System State? --- Steve

 

[Steven L Umbach]

OK. You got a parallel installation going, I would suggest trying to
edit the GptTmpl.inf file on drive "c" as I suggested in a previous post
from the W2K installation that you can boot into on drive "d". It is not
hard to do, and you only need to change two or three settings. -- Steve

 

[Justice]

I test it! I call you back, if i have a result for you and
all others....

Thanks for all!!!

 

[Steven L Umbach]

Ouch. I would say to double check that you changed the correct file
and then there is the part about incrementing a number in another file. Make
sure that the entries have been deleted in the deny local logon and there
also are entries in the allow local logon. You did say that you made the
initial changes in domain controller policy and not Local Security Policy I
believe. I have never had the pleasure of doing it myself. I guess you at
least have the option to restore System State to different installation,
such as the one on drive "d" id all else fails. -- Steve

 

[Steven L Umbach]

You also might want to try to copy the correct GptTmpl.inf file from
your fresh install to your disabled install on drive "c" after renaming that
file on drive "c" first. -- Steve

 

[Justice]

I check my changes in the files...
I mmade the changes in local security policy AND domain
controller policy. And after a restore of the system
status over the old installation I think, that somewhere a
problem with one of the points exist. Don't ask me why!
Fact is, that I don't come in my server...

 

[Justice]

The Problem is, that after restart the server I receive
the error-message:

lsass.exe systemerror
the safety account management could not be initialized,
since the following error arose. The directory service
could not be started. Error status: 0x00002e1. Click
OK.... Start directory service restore after restart..

But in this modus (you know) i don't have the rights to
logon interactive.

I can't believe, that all these things hang all on these
safety guidelines.

exist any possibility how I can logon to this server *R*
or doain controller?!

Thank you in any case already times for all your
assistance.

Your Justice

 

[Steven L Umbach]

I have never had to do that on a domain controller. That is a tough
cookie to crack when you do not have access locally or over the network to
the running operating system. You may want to post in the Active _directory
newsgroup to see if anyone over there would have some suggestions. --
Steve