group policy in Windows Server 2008
One of the employee in the Enterprise changed the users setting in group policy which effects the login permissions for Administrators users.
Each time I tried to log in locally this message shown:
You cannot log on because the logon method you are using is not allowed on this computer
All the solutions on the Internet worked inside Windows but I have only access to Command Prompt (by using repair wizard).
What should I do?
I think you're saying that someone has modified a Group Policy object deny members of the "Administrators" group the right to logon locally on some subset of the computers in the domain. If that's not correct please clarify in your question.
If I were in this situation I'd logon to a computer with a local user account (or use a non-domain member computer) and use an LDAP browser (like ldp.exe
from the Windows Support Tools) to access the Active Directory to locate the GUID for the offending Group Policy Object. If you're not familiar with querying an LDAP directory then, admittedly, it's going to be fairly difficult to guide you step-by-step. Basically, you'd be looking under the "CN=System,CN=Policies" container of the domain to find the GPO with the messed-up setting (probably by examining the "displayName" attribute of the GPOs). That will give you the GUID of the GPO.
Once you've got the GUID I'd "map" a "drive" to the SYSVOL share on a Domain Controller (DC) (using NET USE x: \\domain\sysvol /user:domain\domain-admin-username
). Then, I'd browse into that "drive", the "domain.com" subfolder, the "Policies" subfolder, the folder corresponding to the GUID of the messed-up GPO, the "Machine" subfolder, the "Windows NT" subfolder, and the "SecEdit" subfolder.
In that folder you'll find a GptTmpl.inf
file. Open that file in "Notepad" and locate the line starting with SeDenyInteractiveLogonRight
. Delete that line and save the file.
In 5 minutes (odds are within 2.5 minutes) the DC you modified the SYSVOL on will refresh Group Policy and allow you to logon. As the change replicates to the SYSVOL of other DCs and member computers that are refreshing their Group Policy will pick up the change, too.
You could forego the search on the LDAP directory by just searching the domain SYSVOL share for GptTmpl.inf
files containing the string SeDenyInteractiveLogonRight
but if you have GPOs that legitimately contain that string you risk "breaking" them.
Whatever you do, be sure you take notes as to what you're changing as you do this so that you can back-off any incorrect changes you make.