PDA

View Full Version : Windows domain controller rendered inaccessible

Hugh Beyer
I've succeeded in tying my system up in knots and I'm hoping the good people
here can help me get unwedged.

I had a system which I thought I needed to promote to being a domain
controller using active directory. So I did that thing. It's now happily
adminstering its own domain.

But when I restarted, it wouldn't let me in. The admin password I set doesn't
work. The user password for a highly-privileged user works, but says the
account isn't allowed interactive logins. I try to log in locally, but the
only option I'm allowed is to log into the domain.

So I reboot the machine using the "Domain Controller recovery mode". That
lets me into the machine, but none of the Active Directory tools run. They
all say that the machine is running in safe mode and they're helpless.

I try to create local accounts, but they don't seem to take affect. I try to
run the "local security policy" tool and override the domain policy. I have
some success--the login screen now has the "shutdown" option as I asked,
where before it did not-- but I still can't log in as an interactive user and
the admin password is still no good.

Any thoughts as to how to get out of this mess?

Thx a billion.

Hugh

Brian Desmond [MVP]
Hugh,

Try joining a PC to the domain that this DC is hosting. Then, logon with
that admin user, and connect the group policy editor to the DC. From here,
grant the user interactive logon rights in security policy, and reboot the
DC.

I suspect you're not a domain admin though, as they have interactive rights
by default. Domain Admin rights are necessary to dcpromo a box.

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com


"Hugh Beyer" wrote in message
news:Xns94B6B5E87EE4hughrbeyeracmorg@63.223.5.254...
> I've succeeded in tying my system up in knots and I'm hoping the good
people
> here can help me get unwedged.
>
> I had a system which I thought I needed to promote to being a domain
> controller using active directory. So I did that thing. It's now happily
> adminstering its own domain.
>
> But when I restarted, it wouldn't let me in. The admin password I set
doesn't
> work. The user password for a highly-privileged user works, but says the
> account isn't allowed interactive logins. I try to log in locally, but the
> only option I'm allowed is to log into the domain.
>
> So I reboot the machine using the "Domain Controller recovery mode". That
> lets me into the machine, but none of the Active Directory tools run. They
> all say that the machine is running in safe mode and they're helpless.
>
> I try to create local accounts, but they don't seem to take affect. I try
to
> run the "local security policy" tool and override the domain policy. I
have
> some success--the login screen now has the "shutdown" option as I asked,
> where before it did not-- but I still can't log in as an interactive user
and
> the admin password is still no good.
>
> Any thoughts as to how to get out of this mess?
>
> Thx a billion.
>
> Hugh
>


Hugh Beyer
"Brian Desmond [MVP]" wrote in
news:O0Vlr2fEEHA.2976@TK2MSFTNGP12.phx.gbl:

> Hugh,
>
> Try joining a PC to the domain that this DC is hosting. Then, logon with
> that admin user, and connect the group policy editor to the DC. From here,
> grant the user interactive logon rights in security policy, and reboot the
> DC.
>
> I suspect you're not a domain admin though, as they have interactive rights
> by default. Domain Admin rights are necessary to dcpromo a box.
>

Cool, I was able to get the PC joined to the domain. Now excuse my ignorance,
but how do I "connect the group policy editor to the DC" from this machine?

Hugh

Brian Desmond [MVP]
Start>run>mmc, File>Add/Remove Snapins, Group Policy Editor, and then when
you add it, there's some GUI to pick a domain GPO. I don't have it in front
of me, so I don't recall the exact steps from there, but it's intuitive.

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com


"Hugh Beyer" wrote in message
news:Xns94B75C99BDC78hughrbeyeracmorg@63.223.5.254...
> "Brian Desmond [MVP]" wrote in
> news:O0Vlr2fEEHA.2976@TK2MSFTNGP12.phx.gbl:
>
> > Hugh,
> >
> > Try joining a PC to the domain that this DC is hosting. Then, logon with
> > that admin user, and connect the group policy editor to the DC. From
here,
> > grant the user interactive logon rights in security policy, and reboot
the
> > DC.
> >
> > I suspect you're not a domain admin though, as they have interactive
rights
> > by default. Domain Admin rights are necessary to dcpromo a box.
> >
>
> Cool, I was able to get the PC joined to the domain. Now excuse my
ignorance,
> but how do I "connect the group policy editor to the DC" from this
machine?
>
> Hugh
>