Re: administrator locked out of SBS 2003
- From: Cameraella <Cameraella@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 6 May 2009 18:18:02 -0700
I have managed to identify the cause of this issue with the assistance of a
co-worker. The Domain Admins group was a member of the Remote Operators
group. The Remote Operators group by default is included in the "Deny log on
locally" local security policy settings.
Thanks for your help kj and input Joe. Much appreciated.
"kj [SBS MVP]" wrote:
OK, so I followed your links and the references and see where only the.
enforcement was set. My suspicion is that the policy change 'tattooed' the
registry and so it remains in effect. You should be able to review the
following article, backup the registry (standard disclaimer applies) and
examine for residuals of your policy change.
http://technet.microsoft.com/en-us/library/bb457006.aspx
I'm not confident on how best to undo the changes that this had made your
system as I'd have to lab it and test it. I think your best and most
expedient method is to get MS support involved to hang with you through
resolution on this one.
Cameraella wrote:
Here are the release notes
http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html
Third issue in the know issues list.
Which then lead me to this following post:-
This worked perfectly for me - I was having issues installing the
latest VMWare 2.0 RC1 on Win 2K3 Enterprise, getting the policy error
and these steps solved the problem for me and I was able to install
just fine.
This worked for me:
Click Start -> Control Panel
Open Administrative Tools
Open Local Security Settings
Click Software Restriction Policies
If no software restrictions are defined, right click the Software
Restriction Policies node and select New Software Restriction Policy
Double click Enforcement
Select "All users except local administrators"
Click OK
Reboot the machine
Thanks again,
"Cameraella" wrote:
1. Administrative tools\Domain controller security settings > there
is no user settings there.
2. "applies to all users except administrators"
3. This is a known issue when installing VMware server 2.0, I was
guided by a link to the document on the VMware site.
"kj [SBS MVP]" wrote:
Did you do this for the user or the computer settings of the GPO?
What restrictions did you configur within the software restriciton
policy?
Did you do this by direction of a VMWare document or guidance from
a blog?
Deleting a policy does not necessarily undo the settings that were
applied.
Cameraella wrote:
The domain controller security policy > software restriction
policy. I created a new policy and then in the properties of the
new policy selected "applies to all users except administrators"
That allowed the installation of VMware server to complete.
I have since deleted this policy.
"kj [SBS MVP]" wrote:
Cameraella wrote:
Created the new user and added to domain admins but didn't work.
The administrator is a member of the following groups:-
administrators
domain admins
domain users
enterprise admins
group policy creator owners
mobile users
schema admins
Other than lacking exchange administrator this is pretty much
normal.
So, clarify for me, exactly what policy setting did you change on
which Group Policy Object and then disable?
Thanks again KJ
"kj [SBS MVP]" wrote:
Two things to try. One create a new user, then add to the domain
admins group. Try to logon to the console using this account.
Second, see which groups the administrator is a member of and
post back here.
Cameraella wrote:
No I made sure of that when I did my checks... compared it to
another SBS box I administrate, all exactly the same after the
deletion of the software restriction policy.
I was going to have a search of the GPO's over the weekend and
hope I find something.
Even the VMware KB's as I've all ready discovered the server
V2.0 will not run with RRAS running, though its not documented.
Much appreciated.
Cameraella
"kj [SBS MVP]" wrote:
Cameraella wrote:
Hi Dave,
There was no disable, so I deleted the policy. Performed the
gpupdate /force and tried unsuccessfully to logon at the
console. Same error "The local policy of this system does not
permit you to log on interactively"
I also checked the user access rights whilst there and permit
logon locally is allowed for administrators, and deny logon
locally does not include the administrators.
Thanks again.
Check if any deny inlcudes any group that the user is a member
of. Deny overrides allow, even for administrators.
"Dave Nickason [SBS MVP]" wrote:
If you edited a GPO that's the cause of this, safe mode
won't help. What happens if you just log into the SBS
remotely and disable the new policy? Then open a cmd prompt
and do gpupdate /force - can you then log in locally to the
server?
"Cameraella" <Cameraella@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:D9D77FE6-0A8C-43ED-B1FE-0ED7C4B4003B@xxxxxxxxxxxxxxxx
HiJoe,
I hadn't tried remote access prior to post, but it does
work thanks. I had safe mode in mind as a last resort but
the box is 60Klm's away.
Cheers
"Joe Smith" wrote:
have you tried logging in remotely? what about safemode?
do you have any other admin accounts set up?
"Cameraella" <Cameraella@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:3D876D3C-B79F-4F98-808D-7125486704F6@xxxxxxxxxxxxxxxx
I think I have managed to lock the administrator out of
logging onto our SBS
03 server.
Whilst installing VMware server 2, the installation kept
failing reporting
"System Administrator has set policies to prevent this
installation." ....I
was logged on as administrator. To resolve this problem I
followed a suggestion to access the local security policy
and amend. As it was an SBS
03
box, I had to create a new blank policy in the Domain
controller security
policy, and the change the properties to enforce for all
users except administrators. This then allowed the VMware
server installation to complete.
I have restarted the server numerous times after this
installation 2 days
ago. For some reason today when I try to log on to the
server as administrator at the console I now get "The
local policy of this system does
not permit you to log on interactively."
Any suggestions would be greatly appreciated.
PS. I do have a system state backup from before the
VMware server upgrade
and any issues were experienced.
Thanks in advance.
Cameron
--
/kj
--
/kj
--
/kj
--
/kj
--
/kj
- Follow-Ups:
- Re: administrator locked out of SBS 2003
- From: kj [SBS MVP]
- Re: administrator locked out of SBS 2003
- Prev by Date: The performance of eSATA backup is very disappointed. What's your experience with eSATA backup?
- Next by Date: Re: Third NIC
- Previous by thread: The performance of eSATA backup is very disappointed. What's your experience with eSATA backup?
- Next by thread: Re: administrator locked out of SBS 2003
- Index(es):
Relevant Pages
|
