Question about Log on Locally Policy.

[Adam Sandler]

Is the log on locally policy stored anywhere in the registry? So that
if I were to delete that value, it would be the same as not enabling
log on locally in the first place?

Thanks!

 

[Steven L Umbach]

It is stored as part of security policy applied to that computer. What
exactly is your goal?? --- Steve

 

[Adam Sandler]

What exactly is your goal??

I have honest intentions.

I'm trying to log on to a box restored from image. It keeps giving me
the error cannot log on to domain because computer account is missing.
I cannot log on locally either. I know I'm authenticating because if
the password was wrong, I'd get a different error. Attempts to solve
this problem via nltest or netdom have failed as well. If I know where
the setting for log on locally is at in the registry, I could use
something like chntpw from Knoppix to edit the policy, gain access to
the desktop, and then rejoin the domain.

 

[Steven L Umbach]

OK. That helps a lot. To answer your question I don't know or have ever
heard of a way to fix such via the registry. One thing to try is the tip
from JSI at the link below but there is no guarantee that it will work and
it might be best to copy a secedit.sdb from a non domain computer.

http://www.jsifaq.com/subG/TIP3300/rh3361.htm

I assume you can not logon with a local account because you get an error
about not having the right to logon locally. If the problem is you don't
know the local administrator password there are free utilities to reset such
or you can rename the sam file in \winnt\system32\config from outside the
operating system which will cause a new sam to be generated at reboot with
only default users/groups and a blank password for the built in
administrator account.

http://www.petri.co.il/forgot_administrator_password.htm

Assuming the problem is that local users lack logon locally user right
[possibly it exists only for domain users?] you could try to use ntrights to
grant "users" logon locally if you can connect to the computer over the
network via the local built in administrator account. See the links below
about ntrights and FYI much of the syntax for ntrights is case sensitive.
You also could try using netdom to remove the computer from the domain and
see if that allows you to logon locally. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;315276
http://www.petri.co.il/download_free_reskit_tools.htm --- download
ntrights here if you need it.

ntrights -m \\computer -u users +r SeInteractiveLogonRight [this command
may work using actual computer name while logged onto a network computer
with an account that has same logon/password as local administrator on
locked out computer]

 

[Adam Sandler]

Steve, thanks for your reply... I have quite a few inline comments
below. I do appreciate the time you spent putting such a comprehensive
reply together.

To answer your question I don't know or have ever
heard of a way to fix such via the registry.

I understand... I'm not really looking for a fix to the problem. I
would just like to know if the group policy is stored in the registry
and if it is what is the location. I'm confident I can carry on from
there... and I'm not trying to be a cowboy administrator here; there is
a method to my madness as you will discover after reading some of my
comments.

One thing to try is the tip
from JSI at the link below but there is no guarantee that it will work and
it might be best to copy a secedit.sdb from a non domain computer.

http://www.jsifaq.com/subG/TIP3300/rh3361.htm

This does not work. The so-called missing computer account appears to
be causing communication problems. As far as communication goes, I can
only ping the box. I cannot see it from other computers' My Network
Places and using the UNC from the Explorer fails too. If I do a net
view \\db1 from command line, that fails with error code 5.

I assume you can not logon with a local account because you get an error
about not having the right to logon locally. If the problem is you don't
know the local administrator password there are free utilities to reset such
or you can rename the sam file in \winnt\system32\config from outside the
operating system which will cause a new sam to be generated at reboot with
only default users/groups and a blank password for the built in
administrator account.

I indeed know the local administrator password. If my understanding is
correct, providing a bad password generates a different error.
Providing a good password generates the error the policy of this system
does not permit you to logon interactively.

Assuming the problem is that local users lack logon locally user right
[possibly it exists only for domain users?] you could try to use ntrights to
grant "users" logon locally if you can connect to the computer over the
network via the local built in administrator account.

Looking at other machines which I can access, the effective policy
setting for logon locally is Administrators, domain\Domain Users, and
domain\Domain Admins (I wish I could set that differently but company
policy dictates this setting and I have tried to get it changed for a
few years now). However, since I cannot connect to the problem
machine, ntrights isn't much of a help.

You also could try using netdom to remove the computer from the domain and
see if that allows you to logon locally.

I tried that already... is there a force option? Using netdom to
remove the computer form the domain implies the computer account is up
to begin with. If I cannot communicate with the problem box, then when
netdom tries to go out and touch AD, it fails.

 

[Steven L Umbach]

Hmm. Your situation does not sound good if you can only ping that box. That
removes the best options for recovery. As far as trying to replace
secedit.sdb [which may not work anyhow] you could try such by placing the
hard drive in another computer as a secondary drive or by booting from a
cdrom with something like Bart's PE.

http://www.nu2.nu/pebuilder/

From what I know there is no registry entry that can be modified to correct
your situation. Security options are stored in the registry but user rights
are not. --- Steve

Steve, thanks for your reply... I have quite a few inline comments
below. I do appreciate the time you spent putting such a comprehensive
reply together.

To answer your question I don't know or have ever
heard of a way to fix such via the registry.

I understand... I'm not really looking for a fix to the problem. I
would just like to know if the group policy is stored in the registry
and if it is what is the location. I'm confident I can carry on from
there... and I'm not trying to be a cowboy administrator here; there is
a method to my madness as you will discover after reading some of my
comments.

One thing to try is the tip
from JSI at the link below but there is no guarantee that it will work
and
it might be best to copy a secedit.sdb from a non domain computer.

http://www.jsifaq.com/subG/TIP3300/rh3361.htm

This does not work. The so-called missing computer account appears to
be causing communication problems. As far as communication goes, I can
only ping the box. I cannot see it from other computers' My Network
Places and using the UNC from the Explorer fails too. If I do a net
view \\db1 from command line, that fails with error code 5.

I assume you can not logon with a local account because you get an error
about not having the right to logon locally. If the problem is you don't
know the local administrator password there are free utilities to reset
such
or you can rename the sam file in \winnt\system32\config from outside the
operating system which will cause a new sam to be generated at reboot
with
only default users/groups and a blank password for the built in
administrator account.

I indeed know the local administrator password. If my understanding is
correct, providing a bad password generates a different error.
Providing a good password generates the error the policy of this system
does not permit you to logon interactively.

Assuming the problem is that local users lack logon locally user right
[possibly it exists only for domain users?] you could try to use ntrights
to
grant "users" logon locally if you can connect to the computer over the
network via the local built in administrator account.

Looking at other machines which I can access, the effective policy
setting for logon locally is Administrators, domain\Domain Users, and
domain\Domain Admins (I wish I could set that differently but company
policy dictates this setting and I have tried to get it changed for a
few years now). However, since I cannot connect to the problem
machine, ntrights isn't much of a help.

You also could try using netdom to remove the computer from the domain
and
see if that allows you to logon locally.

I tried that already... is there a force option? Using netdom to
remove the computer form the domain implies the computer account is up
to begin with. If I cannot communicate with the problem box, then when
netdom tries to go out and touch AD, it fails.

 

[Adam Sandler]

Thanks for your time and help!

 

[Guest]

I indeed know the local administrator password. If my understanding is
correct, providing a bad password generates a different error.
Providing a good password generates the error the policy of this system
does not permit you to logon interactively.

Hi Adam,

Have you tried logging onto this machine in safe mode? I suggest you try
that and then modify the local policy to add logon locally right to whatever
account you want.

Hope this solves your problem.

 

[Adam Sandler]

Safe mode will not offer a user a way to skirt around user rights.
Also, since I'm restoring from image and the domain security settings
got captured as a part of the image, the effective setting for the log
on locally right is in place and will override any changes to the local
setting anyway.

I was able to us BartPE to get access to the system and make changes
there.