Denying logon to an administrative account
I'm trying to find a way for user accounts that are used to elevate privileges cannot be logged on to. Like "Deny local logon"
but with the added benefit of elevating a command prompt with that account.
Anything like this exist in GPOs? Or any other kind of solution that can give me the same results?
Hi,
To deny logon access at the domain level to service administrators,
please try the following steps:
Log on with Domain Admins credentials, and then open Active Directory Users and Computers.
In the console tree, right-click
domain name, and then click
Properties.
On the
Group Policy tab, click
Default Domain Policy, and then click
Edit.
Expand the policy tree to Computer Configuration\Windows Settings\Security Settings\Local Policies, and then click
User Rights Assignment.
In the details pane, double-click
Deny logon locally.
Click
Define these policy settings, and then click
Add.
Add all of the service administrator accounts (Administrators, Schema Admins, Enterprise Admins, Domain Admins, Server Operators, Backup Operators, and Account Operators) to the
list.
Also, follow the procedure as below for restoring logon capability to administrators so that they can log on to administrative workstations.
Allowing Logon Access to Administrative Workstations
http://technet.microsoft.com/en-us/library/dd379005(v=ws.10).aspx
Hope this helps,
Ada Liu
Similar Messages
-
No logon possible with "Administrator" Account
Hi,
since a few weeks it's not possible for me to log on with the Administrator account via the Explorer like http://<server>:<port>/irj or /nwa or /useradmin etc.
It's still possible to log on at the visual Administrator with the Administrator account.
But when i want to log on to the portal (/irj) the logon mask appears again after correct logon.
If I want to use an other account for logon after trying to logon with administrator account the message comes up, that "Authentication failed. User is already authenticated as a different user."
We are using EP 7.0 SPS 23 incl. actual patches.
User store is the UME DB + LDAP (read access)
Thanks in advance!
Kind regards
RolandHi Anja,
yeah i just checked out the note. But it doesn't fit to me. I neither get the mentioned error in the traces nor do i have a problem connection with other users except the ones with "administrator" in their name.
Additional info: I have the problem throughout my Portallandscape. So dev, qas and productive engine are affected. So it would be a big coincidence that all three ticketstores are corrupt or something like that.
Thanks anyway!
Kind regards
add. info:
I had a look what's in the security log of a portal system where the logon with the user "administrator" works and what's in the security log of the portals where i get the logon screen again.
Portal where it works:
LOGIN.OK
User: Administrator
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true true
Central Checks true
Portal where it doesn't work:
LOGIN.OK
User: Administrator
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true false
Central Checks true
So you can see at the "createTicketLoginModule" is the difference ==> ok true true | ok true false
Roland
Edited by: Roland Brandstetter on Sep 29, 2011 1:16 PM -
Enable 'Deny Logon locally' for Service Accounts - impacts
Hello All,
I am planning to implement Deny Logon locally for Domain Service Accounts. There are several Service accounts for which I want to prohibit log on for any computers/servers.
Before implementing this policy I wanted to know the impact as many service accounts are configured in some application related services, read data from database etc.
Please let me know if this causes any impact.
Mahi> Before implementing this policy I wanted to know the impact as many
> service accounts are configured in some application related services,
> read data from database etc.
>
> Please let me know if this causes any impact.
No it doesn't if your service accounts are used properly. You might want
to grant "logon as batch", too.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Here is the case:
OS environment: Windows 7
There are two user accounts in my system, standard user "S" and administrator account "A", and there is a windows service running with "Local System" privilege.
Now i logged-in with account "S", and i want to launch an application with elevated administrator account "A" from that service program, so here is the code snippet:
int LaunchAppWithElevatedPrivilege (
LPTSTR lpszUsername, // client to log on
LPTSTR lpszDomain, // domain of client's account
LPTSTR lpszPassword, // client's password
LPTSTR lpCommandLine // command line to execute e.g. L"C:\\windows\\regedit.exe"
DWORD dwExitCode = 0;
HANDLE hToken = NULL;
HANDLE hFullToken = NULL;
HANDLE hPrimaryFullToken = NULL;
HANDLE lsa = NULL;
BOOL bResult = FALSE;
LUID luid;
MSV1_0_INTERACTIVE_PROFILE* profile = NULL;
DWORD err;
PTOKEN_GROUPS LocalGroups = NULL;
DWORD dwLength = 0;
DWORD dwSessionId = 0;
LPVOID pEnv = NULL;
DWORD dwCreationFlags = 0;
PROCESS_INFORMATION pi = {0};
STARTUPINFO si = {0};
__try
if (!LogonUser( lpszUsername,
lpszDomain,
lpszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if( !GetTokenInformation(hToken, (TOKEN_INFORMATION_CLASS)19, (VOID*)&hFullToken,
sizeof(HANDLE), &dwLength))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if(!DuplicateTokenEx(hFullToken, MAXIMUM_ALLOWED, NULL,
SecurityIdentification, TokenPrimary, &hPrimaryFullToken))
LOG_FAILED(L"DuplicateTokenEx failed!");
__leave;
DWORD dwSessionId = 0;
WTS_SESSION_INFO* sessionInfo = NULL;
DWORD ndSessionInfoCount;
bResult = WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &sessionInfo, &ndSessionInfoCount);
if (!bResult)
dwSessionId = WTSGetActiveConsoleSessionId();
else
for(unsigned int i=0; i<ndSessionInfoCount; i++)
if( sessionInfo[i].State == WTSActive )
dwSessionId = sessionInfo[i].SessionId;
if(0 == dwSessionId)
LOG_FAILED(L"Get active session id failed!");
__leave;
if(!SetTokenInformation(hPrimaryFullToken, TokenSessionId, &dwSessionId, sizeof(DWORD)))
LOG_FAILED(L"SetTokenInformation failed!");
__leave;
if(CreateEnvironmentBlock(&pEnv, hPrimaryFullToken, FALSE))
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
else
pEnv=NULL;
if (! ImpersonateLoggedOnUser(hPrimaryFullToken) )
LOG_FAILED(L"ImpersonateLoggedOnUser failed!");
__leave;
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = L"winsta0\\default";
bResult = CreateProcessAsUser(
hPrimaryFullToken, // client's access token
NULL, // file to execute
lpCommandLine, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags, // creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
RevertToSelf();
if (bResult && pi.hProcess != INVALID_HANDLE_VALUE)
WaitForSingleObject(pi.hProcess, INFINITE);
GetExitCodeProcess(pi.hProcess, &dwExitCode);
else
LOG_FAILED(L"CreateProcessAsUser failed!");
__finally
if (pi.hProcess != INVALID_HANDLE_VALUE)
CloseHandle(pi.hProcess);
if (pi.hThread != INVALID_HANDLE_VALUE)
CloseHandle(pi.hThread);
if(LocalGroups)
LocalFree(LocalGroups);
if(pEnv)
DestroyEnvironmentBlock(pEnv);
if(hToken)
CloseHandle(hToken);
if(hFullToken)
CloseHandle(hFullToken);
if(hPrimaryFullToken)
CloseHandle(hPrimaryFullToken);
return dwExitCode;
I passed in username and password of account "A" to method "LaunchAppWithElevatedPrivilege", and also the application i want to launch, e.g. "C:\windows\regedit.exe", but when i run the service program, i found it do launch
"regedit.exe" with elevated account "A", but the content of regedit.exe is pure back. screenshot as below:
Can anyone help me on this?You code is not dealing with the DACL access to Winsta0\Default. Only the LocalSystem account will have full access and the interactively logged on user which is why regedit is not displaying properly. You'll need to grant access to your user.
You also need to deal with UAC since that code is going to give you a non-elevated token via LogonUser(). You need to get the full token via a call to GetTokenInformation() + TokenLinkedToken.
thanks
Frank K [MSFT]
Follow us on Twitter, www.twitter.com/WindowsSDK. -
How to enable administrator account in windows 8
I need Administrator Account access to install SQL server 2005 in Windows 8 and I tried all Possible or given solution in PC but I'm not succeed to enable this account.. I tried lusrmgr.msc also but there is nothing option.
Mainly I couldn't find the option Local User and group management option in Windows 8..
and also i tried from cmd by net user administrator /active:Yes
but command displays access denied
Hi,
Please try this to enable CMD on logon screen:
http://www.askvg.com/how-to-launch-command-prompt-or-other-programs-using-ease-of-access-button-at-login-screen-in-windows-vista-and-7/
Then, try to enable built-in admin account.
net user administrator /active:Yes -
Prevent locking of Administrator account
Hello,
We'd like to expose our portal to the internet. This means everyone will be able to logon to the portal (after creating an UME user account). UME is configured to lock user accounts after 3 invalid login attempts.
Now how can we prevent anonymous internet users to lock the Administrator account or other system accounts like ADSUser?
The first option would be to implement this on the revert proxy, e.g. block requests containing j_user=Administrator either in the URL during a GET request or in the body during a POST request.
However, because of performance reasons, especially because of the need to scan all POST requests, this option doesn't look very attractive.
A second option would be to deploy a new JAAS LoginModule, configured to be always executed as the first one, that checks the username first and halts the login process if the username is Administrator and the request is coming from a certain IP (the reversed proxy), e.g. by throwing a RuntimeException in the login method (will that work? any other possibility besides throwing a RuntimeException?).
This doesn't look as very clean solution either.
What would be the best (safe, clean, easy) way to stop anonymous users from locking the Administrator user account?
Thanks!
SigiswaldAt the end we decided to write a custom LoginModule anyway.
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
import com.sap.engine.lib.security.LoginExceptionDetails;
import com.sap.engine.lib.security.http.HttpGetterCallback;
import com.sap.security.api.IUser;
import com.sap.security.api.NoSuchUserException;
import com.sap.security.api.UMException;
* <p>
* <div>This LoginModule either succeeds or fails, but in fact it
* <u>never</u> authenticates the user. What is meant is that even if
* all relevant methods of the LoginModule API - i.e. login and commit
* - return true, indicating success, the Subject is never
* authenticated. Therefore this LoginModule should <u>never</u> be
* configured as SUFFICIENT.</div>
* </p>
* <p>
* <div>The purpose of this LoginModule is to abort the authentication
* process in case an unauthorized user tries to authenticate as
* administrator and thus it stops unauthorized users from locking
* administrator accounts.</div>
* </p>
* <p>
* <div>This LoginModule accepts two optional configuration
* options:<ul>
* <li>ip_allow</li>
* <li>ip_deny</li></ul>
* The value of both options is a comma separated list of IPv4 ranges.
* e.g.
* <code>ip_allow=145.50.76.81,145.50.77.0-145.50.77.255,194.196.236.70-194.196.236.71</code>
* The localhost is added implicitly.</div>
* </p>
* <p>
* <div>If the IP address of the client that sent the HTTP request is
* within the range(s) defined by ip_allow and is not within the
* range(s) defined by ip_deny, authentication succeeds. If this is
* not the case, authentication fails if the user tries to
* authenticate by username (and password) and supplies the username
* of an existing UME user that is assigned the internal_use_only
* role. Otherwise, authentication succeeds.</div>
* </p>
* <p>
* <div>To meet its purpose, i.e. prevent the locking of administrator
* user accounts, this LoginModule <u>should</u> be configured as
* <u>REQUISITE</u> and should be in the login stack <u>before</u> the
* standard BasicPasswordLoginModule.</div>
* </p>
* @author smadou
public final class AdministratorFilterLoginModule extends AbstractLoginModule {
private static final String INTERNAL_USE_ONLY =
LogonUtil.getRoleid("internal_use_only");
private static final String IP_ALLOW = "ip_allow";
private static final String IP_DENY = "ip_deny";
private static boolean initialized;
private static List IPRANGE_ALLOW = new ArrayList();
private static List IPRANGE_DENY = new ArrayList();
private CallbackHandler callbackHandler;
private boolean succeeded;
public void initialize(
Subject subject,
CallbackHandler callbackHandler,
Map sharedState,
Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
this.callbackHandler = callbackHandler;
this.succeeded = false;
AdministratorFilterLoginModule.initialize(options);
public boolean login() throws LoginException {
try {
if (ipAllowed()) {
succeeded = true;
return true;
} catch (UnsupportedCallbackException e) {
throwUserLoginException(e);
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
String logonid = null;
IUser user = null;
String userid = null;
try {
logonid = getLogonid();
user = logonid == null ? null : LogonUtil.getUser(logonid);
userid = user == null ? null : user.getUniqueID();
} catch (UnsupportedCallbackException e) {
throwUserLoginException(e);
} catch (IOException e) {
throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
} catch (NoSuchUserException e) {
// TODO connect to NetWeaver logging API - DEBUG
e.printStackTrace();
} catch (UMException e) {
throwUserLoginException(e);
if (userid == null) {
return true;
if (user.isMemberOfRole(INTERNAL_USE_ONLY, LogonUtil.RECURSIVE)) {
throwNewLoginException(
"Access Denied to user with logonid "
+ logonid
+ " having role "
+ INTERNAL_USE_ONLY
+ "!");
succeeded = true;
return true;
public boolean commit() throws LoginException {
return succeeded;
public boolean abort() throws LoginException {
return succeeded;
public boolean logout() throws LoginException {
succeeded = false;
return true;
private static synchronized void initialize(Map options) {
if (initialized) {
return;
IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges("127.0.0.1")));
try {
IPRANGE_ALLOW.addAll(
Arrays.asList(
AddressRange.parseRanges(
InetAddress.getLocalHost().getHostAddress())));
} catch (UnknownHostException e) {
// TODO connect to NetWeaver logging API - INFO
e.printStackTrace();
String ipAllow = (String) options.get(IP_ALLOW);
String ipDeny = (String) options.get(IP_DENY);
if (ipAllow != null && ipAllow.length() > 0) {
IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges(ipAllow)));
if (ipDeny != null && ipDeny.length() > 0) {
IPRANGE_DENY.addAll(Arrays.asList(AddressRange.parseRanges(ipDeny)));
initialized = true;
private String getClientIp()
throws UnsupportedCallbackException, IOException {
HttpGetterCallback hgc = new HttpGetterCallback();
hgc.setType(HttpGetterCallback.CLIENT_IP);
callbackHandler.handle(new Callback[] { hgc });
return (String) hgc.getValue();
private String getLogonid()
throws IOException, UnsupportedCallbackException {
NameCallback nc = new NameCallback("username: ");
callbackHandler.handle(new Callback[] { nc });
return nc.getName();
private boolean ipAllowed()
throws UnsupportedCallbackException, IOException {
String clientIp = getClientIp();
return match(IPRANGE_ALLOW, clientIp) && !match(IPRANGE_DENY, clientIp);
private boolean match(List ipRanges, String ip) {
for (Iterator i = ipRanges.iterator(); i.hasNext();) {
AddressRange range = (AddressRange) i.next();
if (range.match(ip)) {
return true;
return false;
import com.sap.security.api.IRole;
import com.sap.security.api.IRoleFactory;
import com.sap.security.api.IUser;
import com.sap.security.api.IUserFactory;
import com.sap.security.api.NoSuchRoleException;
import com.sap.security.api.NoSuchUserException;
import com.sap.security.api.UMException;
import com.sap.security.api.UMFactory;
* @author smadou
public final class LogonUtil {
static final boolean RECURSIVE = true;
static String getRoleid(String uniqueName) {
try {
IRoleFactory rf = UMFactory.getRoleFactory();
IRole role = rf.getRoleByUniqueName(uniqueName);
return role.getUniqueID();
} catch (NoSuchRoleException e) {
// TODO connect to NetWeaver logging API - WARN
e.printStackTrace();
throw new SecurityException(
"NoSuchRoleException while getting role with unique name ""
+ uniqueName
+ "": "
+ e.getMessage());
} catch (UMException e) {
// TODO connect to NetWeaver logging API - WARN
e.printStackTrace();
throw new SecurityException(
"UMException while getting role with unique name ""
+ uniqueName
+ "": "
+ e.getMessage());
static IUser getUser(String logonid)
throws NoSuchUserException, UMException {
IUserFactory uf = UMFactory.getUserFactory();
return uf.getUserByLogonID(logonid);
* This code is based on
* http: //drc-dev.ohiolink.edu/browser/fedora-core/tags/2.0/src/java/fedora/server/security/IPRestriction.java
* @author smadou
public final class AddressRange {
private static final int IP_OCTETS = 4;
private static final int OCTET_MIN = 0;
private static final int OCTET_MAX = (int) Math.pow(2, 8) - 1;
private long start;
private long end;
private AddressRange(long start, long end) {
this.start = start;
this.end = end;
public boolean match(String address) {
return match(parseAddress(address));
private boolean match(long address) {
return address >= start && address <= end;
private static long parseAddress(String address) {
String[] octets = address.split("\.");
if (octets.length != IP_OCTETS) {
throw new IllegalArgumentException("invalid adress: "" + address + """);
long lAddress = 0;
for (int i = 0, n = octets.length; i < n; i++) {
lAddress += parseOctet(octets[ i ], n - i - 1);
return lAddress;
private static long parseOctet(String octet, int byteNum)
throws NumberFormatException {
long lOctet = Long.parseLong(octet);
if (lOctet < OCTET_MIN || lOctet > OCTET_MAX) {
throw new IllegalArgumentException("invalid octet: "" + octet + """);
return lOctet * (long) Math.pow(Math.pow(2, 8), byteNum);
private static AddressRange parseRange(String range) {
String[] parts = range.split("-");
if (parts.length > 2) {
throw new IllegalArgumentException("invalid range: "" + range + """);
long start = parseAddress(parts[0].trim());
long end = parts.length == 1 ? start : parseAddress(parts[1].trim());
return new AddressRange(start, end);
public static AddressRange[] parseRanges(String ranges) {
String[] parts = ranges.split(",");
AddressRange[] addressRanges = new AddressRange[parts.length];
for (int i = 0, n = parts.length; i < n; i++) {
addressRanges[ i ] = parseRange(parts[ i ].trim());
return addressRanges; -
Cannot Access the Administrator Account
We have Windows 7 pro machines on a Server 2008 domain. I can't logon to a machine because the trust relationship with the domain has been lost. I have tried to remove the machine from the domain and then add it back, but the local administrators account
is disabled. None of the local accounts on the machine have administrative rights so I'm unable to do this as it says access is denied. I've tried all the various fixes, ie run mmc and enable administrators account, boot into safe mode etc but none work. Is
there a way to resolve this without reloading the machine with W7?Hi,
Please refer to following guide to enable built-in administrator account in WinRE. You need a installation media to start Windows into WinRE:
Windows 7: Built-in Administrator - Enable from WinRE
http://techlogon.com/2011/12/06/how-to-enable-the-hidden-admin-account-in-windows-7/
Then try to exit the domain.
Kate Li
TechNet Community Support -
Administrator account is disable when deploying windows 7 x64 captured image
I’m using MDT 2012 update 1. I create one deployment share with two task sequence.
The task sequences are: one for windows 7 x86 and the other one is windows 7 x64.
Both are working fine until I try to sysprep and capture with all the windows updates.
Sysprep and capture windows 7 x86 with all windows update work fine. I’m able to deploy the captured image without an error.
My problem is with the windows 7 x64 captured image. I’m able to sysprep and capture the windows7 x64 with all the windows update. Once the capture is completed, I change the .win file in my windows 7 x64 task sequence to point to the new .win file (capture
image with all the windows update). When I deploy windows 7 x64 on a pc, the OS get install but boot up to the sign on screen. The Task sequence does not complete. No error message. Cannot log in as local or domain administrator, account is disable.
Why does it work with my windows 7 x86 image and not with my windows 7 x64 image?
With my windows 7 x86 image the task sequence completed successfully with no error and it logon automatically in windows but not with my windows 7 x64 image.
Both task sequences are the same.
Let me know if any info for this please.
thanksThey should both work, perhaps you missed a step when creating the x64 image.
1. Verify that the Windows 7 x64 image was created cleanly, with no errors. Sysprep ran with no errors.
2. Verify that you created the windows 7 deployment task sequence cleanly. I would do a windiff of the TS.xml and unattend.xml file from both folders in the deployment share.
3. Try running without a domain. Some domain's have a GP set to disable the local administrator account.
Keith Garner - keithga.wordpress.com -
Domain Administrator account being locked up by PDC
Hi everyone,
My PDC is locking up my domain administrator (administrateur in french) account.
System event logs :
The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
consider resetting the password of the account mentioned above.
Level : Error
Source : Directory-Services-SAM
Event ID : 12294
Computer : Contoso-PDC
User : System
There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
I tried to change the name of the domain administrator account from "administrateur" to "administrator".
Now there is "Audit failure" events poping up in the security event logs.
Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
Here is the detail log :
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrateur
Account Domain: CONTOSO
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: CONTOSO-PDC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
On the PDC i checked :
Services : None of them are started with the "administrateur" account
Network Share : There is no network share ...
Task Scheduler : None of the tasks are launch with the "administrateur" account.
And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
Any ideas?
ps : Sorry for the probable english mistakes :(Hi,
Thanks for you answers.
San4wish :
Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
fixed this vulnerabilty.
So i doubt its a conficker type worm.
Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs. -
Factory set password for Windows Vista built-in administrator account?
I am attempting access the Vista built-in administrator account, which normally is not passworded unless the user does so. Mine, however, has a password that was set 11/20/2010 at 9:57:24 PM.
Was this p/w set by Toshiba? I assume so, as it was purchased directly from Toshiba. If so, any idea what that p/w would be? I need to use this account to recover my own admin account due to this error: The User Profile Service failed the logon. User profile cannot be loaded.
Machine is a Satellite P300 S/N 29020124W, Part # PSPC8U-01G00Q.
Thanks.Satellite P300-ST3712
You receive a "The User Profile Service failed the logon” error message
How to Fix the Error "Your user profile was not loaded correctly! You have been logged on with a tem...
Was this p/w set by Toshiba?
No. But some programs like the Google Updater (if you added the Google Toolbar, Chrome or Google Earth) have been known to cause this problem.
-Jerry -
MDT 2012 - Litetouch deploy windows 8 with different administrator account
I have created and captured a custom image of Windows 8 using MDT2012 update 1 and Windows ADK (without SCCM). In the image, I have set an account called DeployUser, with password XXX, adding it to the Administrators group, and I have disabled the User
Account Control.
I did this because the Administrator account is renamed from GPO and the password is changed every 30 days (for security reasons, the password is not disclosed to any IT support).
Next, I created a TS to deploy this image, adding the installation of some software.
In the Unattend.xml, I also added DeployUser to perform the autologon.
After the first logon with DeployUser, the TS stops and does not return any error message.
If I manually run C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ Start-up \ LiteTouch.lnk nothing happens, however, if I run it with "Run as Administrator", the TS continues normally.
Somebody who knows a solution for this?I believe MDT LiteTouch deployments only recognize the Administrator account name for processing task sequences.
Are you joining the domain during an MDT Litetouch deployment? If so, you may want to delay joining to a domain or GPO processing. Take a look at these recommendations:
Domain Policies that break MDT 2010
It may also be possible to disable GPO processing until the end of the taks sequence via a reghack or disabling a service. Take a look at this:
How to Disable/Enable Group Policy
BTW, the task sequence engine in ConfigMgr prevents GPO processing during an OSD.
V/R, Darrick West - Senior Systems Engineer, ConfigMgr: OSD -
Enabling Windows Server 2008 R2 Built-In Administrator Account
The properties box for my Windows Server 2008 R2 built-in administrator program says the account is disabled. Even the primary user account has virtually no priveliges. How can I, with a mere primary user account available at logon, enable
the built-in administrator account, or otherwise grant my primary user account administrator priveliges? Windows Server 2008 R2 denies my primary user account access/permission for nearly all changes to accounts, programs and OS features.
Stephen W PlunkettThe properties box for my Windows Server 2008 R2 built-in administrator program says the account is disabled. Even the primary user account has virtually no priveliges. How can I, with a mere primary user account available at logon,
enable the built-in administrator account, or otherwise grant my primary user account administrator priveliges? Windows Server 2008 R2 denies my primary user account access/permission for nearly all changes to accounts, programs and OS features.
Stephen W Plunkett
In some of the organisations, default admin accounts on member servers are purposefully locked/disabled through group policy for security reasons.
If you know the password for locked out/disabled admin account then there is a possibility of unlocking/re-enabling the account without using any third party tools.
To do that,
Restart the server
Press F8 and select Safe Mode Without
Networking
Log on to the server with locked out/disabled admin account with its password.
If you could successfully log on to the server then you will have option to unlock and enable the built-in admin account !
Most of the downtime's are caused because of SysAdmin's curiosity ! - Santosh -
Old domain was removed and Unable to login as domain administrator account in windows 7 laptop
I have a problem with a laptop which is in old domain, due to some issue I need to uninstall some of the programs on that machine for
that it is asking administrator password, so when I was entering old domain’s administrator account password it is not logging in, and there is no other local administrator account configured on that machine, how to log in into that machine and join that to
the new domain.
I am trying to log in as <domain-name>\administratorHi,
Logon to a domain with domain account is an interactive process, which needs cooperation of both DC and DNS. Since the old domain is delete, then, log in as <domain-name>\administrator to the old domain will failed.
Open CMD, type “net user”, and press Enter to display user account of this computer. Check to see if any account which has administrator permission you can remember.
Besides, type “net user administrator”, if the Account Active is YES, try to use this built-in administrator account to logon:
Press Alt + Ctrl + Delete, select Switch User -> Other User, type <computer name>\administrator. (there may be no password if you haven’t set this)
If there is no administrator permission account which you can use to logon, reinstall the system should be needed.
Best Regards,
Eve Wang -
How to find out sql server administrator account in sql server 2008 R2
how to find out sql server administrator account in sql server 2008 R2
adilthere is any way to find out actual administrator
because i forget that user i used to logon to server and installed sqlserver
adil
Hi adilahmed,
According to your description, you forgot the account which was used to install SQL Server. SQL Server service account information is stored in Windows Registry database. You can get this information from Services Console or SQL Server Configuration.
For example, to get account information from Services Console.
1. Go to Start > Run > Services.msc
2. Right Click on SQL Server Service, i.e. “SQL Server (InstanceName)” and go to properties
3. The account information is available under Log On tab.
Or you can get the information by using DMV and so on.
SELECT servicename, service_account FROM sys.dm_server_servicesGO
If you now log in SQL Server by using sysadmin account, you can check all login names in security and find the original account to login.
Thanks,
Sofiya Li
Sofiya Li
TechNet Community Support -
Error in security provider logon stack: no logon to visual administrator
Probably i made a mistake in configuring SAP-J2EE-Engine security provider login modules.
Now i cannot logon to Visual Administrator, it tells me
"Error while connecting
com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied."
Is there a way to reset login module stack from configtool or in some config file?
Many thanks in advance.
Simone ZaffalonHi
you can configure your login stack configuration using config tool. Config tool works locally against the server's database, thus no authentication is required.
1. Be sure that your server is not running! (shutdown SAP J2EE processes)
2. Launch config tool ("use default db settings").
3. switch to configuration editor mode (the most-right icon in the icon toolbar)
4. navigate to security-->configurations
Here you find your logon stacks and the login modules contained within them. Click on the "pencil" icon for changing your current configuration.
See the thread below .It will resolve your issue
Unable to access Visual Admin
Points are welcome if it is helpful
Koti Reddy
Maybe you are looking for
-
DBA COCKPIT error when scheduling a job
hi experts Iam trying to schedule some jobs in DB13 when i try to add the action i get this error: DBA Cockpit Error Acces to system SID failed Function Unit DB6_PLAN_DD_BATCH Reason job error iam able to run these jobs externally directly from DBM.
-
HT3777 Leopard 10.6.8 with Boot Camp 3 do not support Windows XP SP2???
Hello! I have my MacBook Pro with Leopard 10.6.8 with Boot Camp 3 on it.Reading a BOOT CAM article I could see that it supports Windows XP SP2.I just installed Windows XP SP2...and when I am trying to use the drivers from MAC DVD it says that BOOT CA
-
My wifi option greyed out and when i checked out wifi adress it shows N/A . how would i solve this ?
my wifi option greyed out and when i checked out wifi adress it shows N/A . how would i solve this ?
-
Calculate sales tax rate using a query
Hello, I am not sure if I can ask this question in the correct forum, excuse me if I am in the wrong place. Below is the question We are using STATE.COUNTY.CITY combination for computing the tax. I am fetching the sales tax rate in a custom form base
-
How to address the IP address automatically changing problem?
My Oracle database 10g(10.2.0) is on the WinXP platform and the system IP address often changes automatically. This leads to some troubles with my Oracle database. How to deal with this problem? How to stop the IP changing problem?