Re: administrator locked out of SBS 2003

---

• From: "kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
• Date: Thu, 2 Apr 2009 23:11:20 -0700

---

Two things to try. One create a new user, then add to the domain admins
group. Try to logon to the console using this account.

Second, see which groups the administrator is a member of and post back
here.


Cameraella wrote:

No I made sure of that when I did my checks... compared it to another
SBS box I administrate, all exactly the same after the deletion of
the software restriction policy.
I was going to have a search of the GPO's over the weekend and hope I
find something.
Even the VMware KB's as I've all ready discovered the server V2.0
will not run with RRAS running, though its not documented.

Much appreciated.
Cameraella

"kj [SBS MVP]" wrote:

Cameraella wrote:

Hi Dave,
There was no disable, so I deleted the policy. Performed the
gpupdate /force and tried unsuccessfully to logon at the console.
Same error "The local policy of this system does not permit you to
log on interactively"
I also checked the user access rights whilst there and permit logon
locally is allowed for administrators, and deny logon locally does
not include the administrators.

Thanks again.

Check if any deny inlcudes any group that the user is a member of.
Deny overrides allow, even for administrators.

"Dave Nickason [SBS MVP]" wrote:

If you edited a GPO that's the cause of this, safe mode won't help.
What happens if you just log into the SBS remotely and disable the
new policy? Then open a cmd prompt and do gpupdate /force - can you
then log in locally to the server?


"Cameraella" <Cameraella@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:D9D77FE6-0A8C-43ED-B1FE-0ED7C4B4003B@xxxxxxxxxxxxxxxx

HiJoe,
I hadn't tried remote access prior to post, but it does work
thanks. I had safe mode in mind as a last resort but the box is
60Klm's away.

Cheers

"Joe Smith" wrote:

have you tried logging in remotely? what about safemode?
do you have any other admin accounts set up?
"Cameraella" <Cameraella@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:3D876D3C-B79F-4F98-808D-7125486704F6@xxxxxxxxxxxxxxxx

I think I have managed to lock the administrator out of logging
onto our SBS
03 server.
Whilst installing VMware server 2, the installation kept failing
reporting
"System Administrator has set policies to prevent this
installation." ....I
was logged on as administrator. To resolve this problem I
followed a suggestion to access the local security policy and
amend. As it was an SBS
03
box, I had to create a new blank policy in the Domain controller
security
policy, and the change the properties to enforce for all users
except administrators. This then allowed the VMware server
installation to complete.
I have restarted the server numerous times after this
installation 2 days
ago. For some reason today when I try to log on to the server as
administrator at the console I now get "The local policy of this
system does
not permit you to log on interactively."

Any suggestions would be greatly appreciated.

PS. I do have a system state backup from before the VMware
server upgrade
and any issues were experienced.


Thanks in advance.
Cameron

--
/kj

--
/kj


.

---

• Follow-Ups:
  • Re: administrator locked out of SBS 2003
    • From: Jim Behning SBS MVP

• References:
  • administrator locked out of SBS 2003
    • From: Cameraella
  • Re: administrator locked out of SBS 2003
    • From: Joe Smith
  • Re: administrator locked out of SBS 2003
    • From: Cameraella
  • Re: administrator locked out of SBS 2003
    • From: Dave Nickason [SBS MVP]
  • Re: administrator locked out of SBS 2003
    • From: Cameraella
  • Re: administrator locked out of SBS 2003
    • From: kj [SBS MVP]
  • Re: administrator locked out of SBS 2003
    • From: Cameraella

• Prev by Date: Change default remote desktop server.
• Next by Date: Re: Change default remote desktop server.
• Previous by thread: Re: administrator locked out of SBS 2003
• Next by thread: Re: administrator locked out of SBS 2003
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Cant set Local Security policies. They fail to save ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ... (microsoft.public.windows.server.sbs) Re: Please help refresh my memory on AD DC ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ... (microsoft.public.windows.server.active_directory) Re: Please help refresh my memory on AD DC ... "WEB308\administrator" does not longer exist, because DC's have no local administrator. ... The computer is now member of the domain, if you mean this and still has the local user account. ... "in order to add the server or pc I would have to have a user on the domain to logon to the domain. ... To Logon locally I would use the admin account of the Server 2003 machine. ... (microsoft.public.windows.server.active_directory) RE: Lost TS to SBS2003 Server ... I found my issue - the Default Domain Controller Group Policy did not have ... Paul Bockmann ... To log on to this remote computer, you must have Terminal Server User ... However when you logon locally, the error "The local policy of this system ... (microsoft.public.windows.server.sbs) Re: Please help refresh my memory on AD DC ... they just get the result of that what the domain administrator ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)