Roger
Sat Jan 01 09:09:09 CST 2005
Great. Sorry I routed you down a long path.
--
Roger
"stefanT" <stefanT@discussions.microsoft.com> wrote in message
news:0ACA8CB7-2E58-4E9F-893E-7083BB708FFC@microsoft.com...
> It worked :^).
>
> I initially tried "ntrights -m \\mycomputer +r SeInteractiveLogonRight -u
> users" but this failed and then I remembered that Deny overides Allow.
>
> "ntrights -m \\mycomputer -r SeDenyInteractiveLogonRight -u users" did
the
> trick.
>
> Thank you very much for your help and your patience gentlemen. Have a
happy
> new year.
>
> StefanT
>
> "Steven L Umbach" wrote:
>
> > Ntrights is available at the link below. Of course anyone attempting to
use
> > it needs to know that the user right used in the command is case
sensitive.
> > The problem could be a lack of the logon locally user right or that a
group
> > the user is in [everyone, users] has in the deny logon locally user
> > ight. --- Steve
> >
> >
http://www.petri.co.il/download_free_reskit_tools.htm
> >
> > [ ntrights -m \\mycomputer +r SeInteractiveLogonRight -u users ] for
> > instance to grant users logon locally user right over the network to
> > computer named my computer. Of course you would need to be logged onto
> > source computer with an account that is an administrator on target
locked
> > out computer and have the user right for access this computer from the
> > network on the locked out computer.
> >
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:u1IfmMy7EHA.2568@TK2MSFTNGP10.phx.gbl...
> > > Well, that is rather a surprise Stefan and it does seem to indicate
> > > that there may be something else operative here. I must add that
> > > you comment of W2k with no service packs installed does not
> > > sound encouraging as such a machine usually will become heavily
> > > compromised in a very short time if connected to the open network.
> > > Since the tweak of GroupPolicy is not effective you should just set
> > > it back to what it was.
> > > You could try seeing whether remote use of NTrights.exe helps
> > >
http://support.microsoft.com/default.aspx?scid=kb;en-us;279664
> > > You should try this logged into the machine where the tool runs
> > > using a account that matches in name and password an admin
> > > account on the machine that has the problem.
> > > You should be able to but apparently cannot get NTrights by following
> > > the Tools linkpath from
> > >
http://www.microsoft.com/windows2000/techinfo/reskit/default.asp
> > > and I also do not find a link searching microsoft.com/downloads
> > > so you may have to do some hunting to find this, as I do not find
> > > the W2k version available. However, you might find the W2k3
> > > version of use - no guarantees here of course, and you have not
> > > mentioned if the other machine available is W2k, XP, or . . .
> > >
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
> > > but these tools are for use on XP or W2k3 - I have not tried these
> > > versions in W2k.
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "stefanT" <stefanT@discussions.microsoft.com> wrote in message
> > > news:999754A3-AAA5-4BDA-8D75-FC15F1FA6A12@microsoft.com...
> > >> 99.9% sure. However, to be certain, via the network C drive share I
> > > removed
> > >> 'Everyone', added 'AuthenticatedUsers' and set the permissions to:
> > >> Adminstrators : deny full
> > >> System : deny full
> > >> AuthenticatedUsers : deny full
> > >> The sub-directories and contents were also explicitly set to deny
full
> > >> for
> > >> all three.
> > >> The deny full for A-Users worked because I could no longer access the
> > >> GroupPolicy directory so I guess the same applies to Admins.
> > >> Despite this, I could still not login locally.
> > >>
> > >> If, from what you say, this fix should work, there must be something
> > >> anomolous with the system. Just to recapitulate, it's running
W2k-Pro -
> > > no
> > >> SPs and was setup as a Workgroup PC. The only change I made was to
deny
> > >> local login to group Users. I attempted to do a repair re-install at
> > > which
> > >> point I changed it to a Domain PC to try and login to the domain, but
the
> > >> re-install did not complete and I had to reboot. The machine came
back up
> > > OK
> > >> with only the local login prompt.
> > >>
> > >> The login authentication seems to be OK since an incorrect user or
> > > password
> > >> produces a normal logon failure message.
> > >>
> > >> The only thing I have observed whenever I tried to login was that the
sam
> > > &
> > >> sam.log files in sys32/config are updated.
> > >>
> > >> If this fix cannot be made to work, would there be another way to
> > >> approach
> > >> it if I did a parallel installation - say by copying the relevent
files
> > > from
> > >> that installation? I rather get the feeling that this problem is
going
> > >> to
> > >> take some experimenting in order to locate the cause. My problem is,
I
> > > know
> > >> virtually nothing about the inner workings in order to do this. At
the
> > > end
> > >> of the day, I can always do a full re-install, tho' I'd rather avoid
this
> > > if
> > >> I can. What I don't want to do is waste your time on what could be a
> > >> fruitless chase - so if you want to sign off on this then go ahead -
I'll
> > >> understand. I spent several years providing international support at
the
> > > end
> > >> of a telephone so I know what a bummer this kind of thing can be.
> > >>
> > >> StefanT
> > >>
> > >> "Roger Abell" wrote:
> > >>
> > >> > Windows 2000 and earlier did not set NTFS permissions on
> > >> > directories that were from upgrade installs, or converted to
> > >> > NTFS from FAT.
> > >> > The registry part of what you were saying is behind the scenes.
> > >> > What is important is the the system32\GroupPolicy folder is
> > >> > not readable by the account logging in so that policy will not
> > >> > be applied to it. I have never had someone not have this work
> > >> > for them when in your situation, at least as I hear your
description
> > >> > of the situation. 100% success until now. So, are you sure that
> > >> > the Deny of full control for administrators was saved, and perhaps
> > >> > check that it propagated onto the contents of the folder.
> > >> > The "normal" permissions for the folder in Windows 2000 (server)
> > >> > are grants of Administrators Full ; SYSTEM Full; and Authenticated
> > >> > Users Read&Execute (and so List+Read)
> > >> >
> > >> > --
> > >> > Roger Abell
> > >> > Microsoft MVP (Windows Security)
> > >> > MCSE (W2k3,W2k,Nt4) MCDBA
> > >> > "stefanT" <stefanT@discussions.microsoft.com> wrote in message
> > >> > news:C9ADAD1D-1D45-4565-9BBE-C79F4E029C6F@microsoft.com...
> > >> > > OK. take #2
> > >> > >
> > >> > > I find I can access via the network after all. So I navigate to
> > >> > > sysroot/sys32/GroupPolicy and set Deny on full for
Administrators.
> > > I've
> > >> > not
> > >> > > logged in locally yet so I give it a try. No joy. I reboot the
> > > machine
> > >> > and
> > >> > > try again - still no joy. Same logon message - 'local policy
does
> > >> > > not
> > >> > permit
> > >> > > interactive logon'. Any thoughts?
> > >> > >
> > >> > > What should the permissions be on this directory? Mine show
> > >> > > Admins : allow unset ; deny unset
> > >> > > System : allow unset ; deny unset
> > >> > > Everyone : allow full ; deny unset
> > >> > >
> > >> >>snip
> > >
> > >
> >
> >
> >