Link to home
Start Free TrialLog in
Avatar of Mohammed Nasman
Mohammed NasmanFlag for Palestine, State of

asked on

Secutriy (Policy Problem)

Hello Experts

  I have denied localy login and from network for every one, I tried to login as domain user (I'm member of admin group of the domain) or as local administrator , it gives me a message
"The local policy of this system does not permit you to login interactively" and when I try to access to it from the network, it gives me "access denied".

  Our network is windows2000 based network, our network administrator permitted me to login locally and over network at : 1. Domain secutriy policy. 2. GPO of my organzitional unit, and that's also didn't work

  also he tried to connect group policy of my workstation, but the local security policay gave us message "Failed to open the group policy object on (my computer name) you may have not appropirate rights"

  then I reinstalled windows 2000 pro in my computer and i choosed repair option but after installtion, it gave me the same message above, that i couldn't login to my computer

  what I can do now?, I don't want to install a fresh copy of w2k, that's need alot of work and reisntalling many programs

  thanks for your help

 Mohammed Nasman
Avatar of Housenet
Housenet
Flag of Canada image

-This is a new installation of pro correct ?
-In the future, do not join a domain while installing 2000 pro.. Join a workgroup first & after you successfully login, then join the domain..
-What happend to you here, has happened to countless people.. When It happened to me, I reinstalled & chose workgroup..After verifying that logging in to the local station was not a problem, I joined the domain..
-To avoid this problem my company's policy is to always install this way.

-There was an article from M$ KB on the matter, it didnt help me at the time & I cant seem to locate it now..

mnasman, policy entries can be overriden or left alone. Now if the "deny local logon" policy setting is local to your machine but not overridden by any GP (that is, set to "not defined"), it will remain effective. But if the GP applied to your user overwrites this value (even with just nothing), it should deactivate the GP setting which causes your login to fail.
Avatar of RayFrye
RayFrye

Comment for AvonWyss, your words were not wasted at https://www.experts-exchange.com/jsp/qManageQuestion.jsp?qid=20129011 ; I understood your comments.  But my mother board doesn't support dual IDE controllers.

mnasman, sorry to make this comment here, but I wanted to explain and apologize to AvonWyss.
Avatar of Mohammed Nasman

ASKER

Housenet, I didn't join the domain when I reinstalled the w2k again.
the policy I made is local policy for my workstation, and we couldn't override it by GP or by any way from the server, aslo when i try to connect to my computer and access it from the server i couldn't do that, remeber that i'm in admins group of the domain

  the installation finished successfully.

 first time when i tried to reinstall w2k, i choosed the second opetion "repair" and i login in my computer as console, it asked me for local administrator password and i login to my computer in console mode, can i do any thing in this way?
-No I mean do a 'new install' of win2k..
-Call the new installation folder winnt2 or something..
mnasman, is it correct that you have no access whatsoever to your machine over the network, e.g. you even cannot open any shares?
Housenet, I did new install but i choosed the repair, i don't want to install a fresh copy, cuz it's need alot alot of working :(, and i will lose my things

 AvonWyss, I can't open any thing in my computer, evne when i click on my computer from the domain, it gave me access denied :(
mnasman, do you have a Emergency Disk of your system at hand? Using this disk, you could try to restore the security settings of your computer.

Another interesting thing would be to know whether you are alo locked out of the repair console. This would give you the opportunity to replace the policy file which (according to your description) causes the problem.
"and i will lose my things" So this was not a brand new install of 2000 pro ?....
AvonWyss, how can replace the policy from the console?, when i choosed it gave me the command prombet, and i don't have Emergency, but when i choose Emergency it found one in the hard disk, but it also not slove the problem

 Housenet, i reinstall win as repair, not a fresh copy in other directroy

  if i install w2k in other dircotry, can i access the policy for the old installed w2k?

 
guys

  is the local policy save the setting in file at the computer?, so if i delete the file will i login to my computer?

  thanks for all ur help
Group policy files are in \WINNT\system32\GroupPolicy
if i delete it what will happen?
Probably nothing, since . Restoring the SECURITY registry part from a rescue disk is more likely to give your the wanted results. And the domain policy is overriding the local policy anyways.

From MS KB Q221930:

"Group Policy is administered through the use of Group Policy Objects, data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with the later policies being superior to the earlier applied policies.

When a computer is joined to a domain with the Active Directory and Group Policy implemented, a local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.

Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy object is applied."
Hello AvonWyss

  you are right, but remeber, that i deny everyone to access from the network, and i'm member of domain admins, also if i remember well, i remove the domain admin from the administrator group on my computer
Hello again guys

  I think the problem will not solve, so I installed a new copy of win2k in different place, and i'm starting to reinstall my programs, but now, i was have a outlook 2000, with connectd to microsoft exchange, and i was store my messages in a personal folder, now how can i restore my messags, from outlook i tried to import them file>import and export, but it give me only one option "import from cc:mail", so how i can bring my messages to the new outlook inbox?

  thanks for any help
-Search for your .pst file....
-In outlook choose, import->Import from a another program or file->Next->Microsoft personal folder file.
Housenet I did that
but I said when I choose import, i see only one option "import from cc:mail"

I'm useing outlook 2000, how can i get the option "import from persoanl folder", I installed outlook with full options
ASKER CERTIFIED SOLUTION
Avatar of Housenet
Housenet
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hello Housenet

  I did that and I got most of my emails, but i was have some folders, and I didn't restore them in this way, how can i restore the other folders that i creatd?

 
thanx Housenet

  I found them now :), thanks alot for your help guys
You're welcome...