Re: administrator locked out of SBS 2003

Cameraella wrote:
I have managed to identify the cause of this issue with the
assistance of a co-worker. The Domain Admins group was a member of
the Remote Operators group. The Remote Operators group by default is
included in the "Deny log on locally" local security policy settings.

Thanks for your help kj and input Joe. Much appreciated.

You're very welcome. Pleased we were able to help you get resolution.




"kj [SBS MVP]" wrote:

OK, so I followed your links and the references and see where only
the enforcement was set. My suspicion is that the policy change
'tattooed' the registry and so it remains in effect. You should be
able to review the following article, backup the registry (standard
disclaimer applies) and examine for residuals of your policy change.

http://technet.microsoft.com/en-us/library/bb457006.aspx

I'm not confident on how best to undo the changes that this had made
your system as I'd have to lab it and test it. I think your best and
most expedient method is to get MS support involved to hang with you
through resolution on this one.

Cameraella wrote:
Here are the release notes
http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html
Third issue in the know issues list.

Which then lead me to this following post:-

This worked perfectly for me - I was having issues installing the
latest VMWare 2.0 RC1 on Win 2K3 Enterprise, getting the policy
error and these steps solved the problem for me and I was able to
install just fine.

This worked for me:



Click Start -> Control Panel
Open Administrative Tools
Open Local Security Settings
Click Software Restriction Policies
If no software restrictions are defined, right click the Software
Restriction Policies node and select New Software Restriction Policy
Double click Enforcement
Select "All users except local administrators"
Click OK
Reboot the machine


Thanks again,


"Cameraella" wrote:

1. Administrative tools\Domain controller security settings > there
is no user settings there.
2. "applies to all users except administrators"
3. This is a known issue when installing VMware server 2.0, I was
guided by a link to the document on the VMware site.

"kj [SBS MVP]" wrote:

Did you do this for the user or the computer settings of the GPO?

What restrictions did you configur within the software restriciton
policy?

Did you do this by direction of a VMWare document or guidance from
a blog?

Deleting a policy does not necessarily undo the settings that were
applied.

Cameraella wrote:
The domain controller security policy > software restriction
policy. I created a new policy and then in the properties of the
new policy selected "applies to all users except administrators"
That allowed the installation of VMware server to complete.

I have since deleted this policy.

"kj [SBS MVP]" wrote:

Cameraella wrote:
Created the new user and added to domain admins but didn't
work. The administrator is a member of the following groups:-
administrators
domain admins
domain users
enterprise admins
group policy creator owners
mobile users
schema admins

Other than lacking exchange administrator this is pretty much
normal.

So, clarify for me, exactly what policy setting did you change
on which Group Policy Object and then disable?




Thanks again KJ

"kj [SBS MVP]" wrote:

Two things to try. One create a new user, then add to the
domain admins group. Try to logon to the console using this
account.

Second, see which groups the administrator is a member of and
post back here.


Cameraella wrote:
No I made sure of that when I did my checks... compared it to
another SBS box I administrate, all exactly the same after
the deletion of the software restriction policy.
I was going to have a search of the GPO's over the weekend
and hope I find something.
Even the VMware KB's as I've all ready discovered the server
V2.0 will not run with RRAS running, though its not
documented.

Much appreciated.
Cameraella

"kj [SBS MVP]" wrote:

Cameraella wrote:
Hi Dave,
There was no disable, so I deleted the policy. Performed
the gpupdate /force and tried unsuccessfully to logon at
the console. Same error "The local policy of this system
does not permit you to log on interactively"
I also checked the user access rights whilst there and
permit logon locally is allowed for administrators, and
deny logon locally does not include the administrators.

Thanks again.


Check if any deny inlcudes any group that the user is a
member of. Deny overrides allow, even for administrators.


"Dave Nickason [SBS MVP]" wrote:

If you edited a GPO that's the cause of this, safe mode
won't help. What happens if you just log into the SBS
remotely and disable the new policy? Then open a cmd
prompt and do gpupdate /force - can you then log in
locally to the server?


"Cameraella" <Cameraella@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:D9D77FE6-0A8C-43ED-B1FE-0ED7C4B4003B@xxxxxxxxxxxxxxxx
HiJoe,
I hadn't tried remote access prior to post, but it does
work thanks. I had safe mode in mind as a last resort but
the box is 60Klm's away.

Cheers

"Joe Smith" wrote:

have you tried logging in remotely? what about safemode?
do you have any other admin accounts set up?
"Cameraella" <Cameraella@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:3D876D3C-B79F-4F98-808D-7125486704F6@xxxxxxxxxxxxxxxx
I think I have managed to lock the administrator out of
logging onto our SBS
03 server.
Whilst installing VMware server 2, the installation
kept failing reporting
"System Administrator has set policies to prevent this
installation." ....I
was logged on as administrator. To resolve this
problem I followed a suggestion to access the local
security policy and amend. As it was an SBS
03
box, I had to create a new blank policy in the Domain
controller security
policy, and the change the properties to enforce for
all users except administrators. This then allowed the
VMware server installation to complete.
I have restarted the server numerous times after this
installation 2 days
ago. For some reason today when I try to log on to the
server as administrator at the console I now get "The
local policy of this system does
not permit you to log on interactively."

Any suggestions would be greatly appreciated.

PS. I do have a system state backup from before the
VMware server upgrade
and any issues were experienced.


Thanks in advance.
Cameron

--
/kj

--
/kj

--
/kj

--
/kj

--
/kj

--
/kj


.

Loading