Re: I shot my foot off almost and the Admin can't log into the server locally

From: Al Christoph (ac2_at_too.net)
Date: 03/29/04 

Date: Mon, 29 Mar 2004 16:37:51 -0500

Eureka and thank you. That cured the problem and some further investigation
showed me exactly how I shot my foot off.

Sufficiently long ago that I had forgotten about it I adjusted the
privileges of Domain Power Users apparently to block logging on to the
server. That got me.

What made it bad was that I did not test Administrator at the time, and
today after many straight days of uninterupted up time I had to boot the
server. But I was also screwing around on the client PC's in a way that
might have changed things for me on the server.

Hence my anguish.

What will be interesting to see now is what the consequences are of wiping
out all the other groups the Admin was in. Quite a few of them.

The moral of this story is two fold:
1) Keep a backup administrator id around.
2) Test your changes.

All I need now is a crash course in using the Group Policy tools to have
tracked this down myself. Is it possible with the modeling and results tool?

Thanks again Matt,

And regards,
Al
"Matt Trudewind[MSFT]" <a-mattt@online.microsoft.com> wrote in message
news:1azRt7cFEHA.1996@cpmsftngxa06.phx.gbl...
>
> --------------------
> >
> >Looks like you're not trying to logon locally at the
> >console, you're logging on locally through an Internet
> >Service/Application of some kind?
> >
> >127.0.0.1 may not be a member of the "Trusted"
> >or "Intranet" zones.
> >
> >If that does not fit your situation, then pls repost
> >exactly how you are trying to "logon locally," througn
> >what interface/application.
> >
> >Tony Su
> >
> >
> >
> >
> >>-----Original Message-----
> >>Prior to today, the Adminnistrator account has been able
> >to log in locally to the SBS 2003 server. (Let's not
> >debate the merits of that.) I was screwing around on
> >client pc's adding them to the server, etc, and now when I
> >attempt to log into the server I get the infamous you are
> >not allowed to log on locally message. Here are the
> >details from the event log:
> >>Logon Failure:
> >> Reason: The user has not been granted the requested
> >> logon type at this machine
> >> User Name: Administrator
> >> Domain: 3BEARS
> >> Logon Type: 2
> >> Logon Process: User32
> >> Authentication Package: Negotiate
> >> Workstation Name: AC2M2
> >> Caller User Name: AC2M2$
> >> Caller Domain: 3BEARS
> >> Caller Logon ID: (0x0,0x3E7)
> >> Caller Process ID: 432
> >> Transited Services: -
> >> Source Network Address: 127.0.0.1
> >> Source Port: 0
> >>
> >>Two things are good
> >>1. The Administrator account can still log on to the
> >server from another PC on the netwrk.
> >>2. I have a back up administrator and that works fine.
> >>
> >>I've tried many of the suggestions here and nothing seems
> >to help.
> >>
> >>The only interesting thing that I saw was
> >that "administrator" was missing from account on the
> >Administrator's Proerty Page Account tab. Restoring that
> >did not help.
> >>
> >>I've been all through both the local policies and group
> >policies and have not spotted anything.
> >>
> >>Any more suggestions would be appreciated. I'll
> >cheerfully report back on what I find.
> >>
> >>Regards,
> >>Al
> >>.
> >>
> >
>
> Login with your other Admin account and check group membership of the
Administrator account.
>
> By default the Administrator should be a member of these groups:
>
> Administrators, Domain Admins, Domain Users, Enterprise Admins, Group
Policy Creators, Internet Users, Mobile Users, and Schema Admins.
>
> If the Administrator is a member of any additional group then go ahead and
remove him from those.
>
>
>
> Matt Trudewind
> Microsoft Product Support Specialist
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>

Relevant Pages

  • Re: New AD installation issue
    ... Then a second server was added to the domain. ... (I am a member of the Administrators ... Membership of the Administrators group in the domain gives you admin access ... Membership of the Domain Admins group grants you admin privileges to the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Setting a password on an AD account...
    ... I assume it's running in a restricted account right? ... You don't use SSL to bind, and as this runs from a server which is not a domain member (a ... this one fails when the current user is not an administrator on the DC. ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: Installing Software and Permissions
    ... MCSE, CCEA, Microsoft MVP - Terminal Server ... member of Domain Admins... ... until user1 was added directly to the TS Servers Local Admins ... Server - Administrators 6) All in all the Local Administrators ...
    (microsoft.public.windows.terminal_services)
  • RE: Administrator Logon failure
    ... you have no problem logging on to the server via a Remote Desktop ... The account you use is a member of Domain Power Users or Remote Operators ... By default in SBS Local Security Policy, SBS Remote Operators ... Remove these groups from administrator via a TS session. ...
    (microsoft.public.windows.server.sbs)
  • Re: No user accounts that are Enterpise Admins can connect to othe
    ... enterprise admins is not a member of local servers administrators group, ... only the domain admins group is ... Basically it is from one of the child domains connecting to member servers ... /GROUPS on a w2k3 server or use SECTOK from joeware.net) ...
    (microsoft.public.windows.server.active_directory)