Urgent Policy question

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Fortunately this is in a lab setting but i still am in need of dire help.
I was changing policies and wasn't paying too close attention and i must
have changed the policy for logging in locally because no PC can log in to
the domain, and i can't get into the DC (even with the Admin account). How
can i get into the PC to change this policy setting. i am getting the message
"The local policy of this system does not allow you to logon interactively"
from any PC on the domain. The only way for other workstations or member
servers (2) to log in is locally.
Please help, i do not want to rebuild this DC! i have a lot of time and work
into this. i made a stupid mistake and am now paying for it.

Thanks,
 
What policies did you change? Normally when this happens you should still be
able to logon to a domain controller locally unless you changed both Domain
and Domain Controller Security Policy.

Anyhow see the link below on how to edit the GptTmpl.inf file in the sysvol
share to restore default user rights for Domain Controller Security Policy.
You could do such be either putting the hard drive of the domain controller
into another computer to access it, use a parallel installation of the
operating system, or best option would be to try and access the sysvol share
remotely. You could do such by logging onto a non domain computer to try
such either with a user account that has the same credentials as a domain
administrator or entering domain administrator credentials when you try to
access the sysvol share. This assumes that the user right for access this
computer from the network user right is still granted for the domain
administrator account. Always be very careful with deny user rights as they
override allow user rights and administrators are members of the users and
everyone groups. --- Steve

http://support.microsoft.com/kb/267553/
 
Yea, i accidently put it in the Deny logon on locally, not paying attention.
i put a group in there that basically has all my users in!! STUPID....

Thanks,
 
OK. Well the solutions I listed should work for you if you can not logon to
a domain controller directly. --- Steve
 
Back
Top