Domain Admin locked out of local logon

Similar Messages

• Domain accounts locked out regularly

  Hi,
  I have quite a number of invalid log-on daily and causing locked out.
  Action taken,
  1. Unselected IPv6 from Windows 7 workstation
  2. Follow PSS troubleshooting method
  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
  3. Using NetWrix Account Lockout Examiner - All results good fine except having lot of invalid logon; ranging from 20 to 60.
  4. Netstat output from Windows 7 workstation
  Active Connections
    Proto  Local Address          Foreign Address        State           Offload State
    TCP    10.82.0.11:49182       austin801ai:52230      ESTABLISHED     InHost      
    TCP    10.82.0.11:50231       sippoolbl20a02:https   ESTABLISHED     InHost      
    TCP    10.82.0.11:50253       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50254       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50278       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50279       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50280       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50281       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50298       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50301       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50306       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50307       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50315       autocache:8080         ESTABLISHED     InHost      
    TCP    10.82.0.11:50316       autocache:8080         ESTABLISHED     InHost      
    TCP    127.0.0.1:49155        2OPSLW7N048:49156      ESTABLISHED     InHost      
    TCP    127.0.0.1:49156        2OPSLW7N048:49155      ESTABLISHED     InHost      
  What is next?  Running out of idea.  Please advice.  Thanks.
  Kelvin Teang

  Greetings!
  Firstly you should find out where these requests come from, so please enable auditing in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management in group Policy and after next lockout,
  check for event ID 4740 in you Event Viewer and Security section.
  After that you need to find out what are the reasons behind this. Common problems are:
  Entering your password incorrectly. (Note: not only for interactive logons but also when you are accessing a share)
  Some services are configured incorrectly with the wrong credential, to put it another way they (The Services) try to start themselves with incorrectly configured credentials.
  Map Network Drives. It sounds a bit weird but YES! If you have a mapped network drive on your PC you may have to take a look at the credentials again to make sure they are correctly configured.
  In windows 7 and above there is a feature called “Credential Manager” which holds all the credentials required for accessing a share, mapped network drive and so on. It is another location which you have to verify the credentials.
  Conficker Worm.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Domain Admin doesn't have local Administrator privileges

  This was all done using Azure VMs.
  machine: server-dc
  Setup Windows 2012 R2 as a domain control with user 'testadmin'
  Domain: DEV
  Added a user 'domainadmin' and made a Member of all the same groups as testadmin (including Domain Admins)
  machine: server-a
  Setup Windows 2012 R2 with user 'localadmin'
  Joined server-a to the domain
  "DEV\Domain Admins" was automatically added to the local Administrators group
  Login to server-a as "DEV\testadmin"
   - full local admin rights (because is member of "DEV\Domain Admins" - correct?)
  Login to server-a as "DEV\domainadmin"
   - does NOT have local admin rights yet is a member of "DEV\Domain Admins"
  Why does "DEV\domainadmin" not have the exact same local admin rights on server-a that "DEV\testadmin" does?
  Thanks,
  Mike

  I'm still having problems.
  This account is in the local Administrators group so they should have permission to do these things.  I've tried your work around but still no luck.
  User Account Control: Run all administrators in Admin Approval Mode
   - Enabled (Default) is set
  User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
  - Elevate without prompting is set
  Machine rebooted
  UAC in Control Panel set to Never notify
  To clarify:
  User 'domainadmin' is a user created on the DC.
  Group 'Domain Admins' is a group created on the DC.
  'domainadmin' is a member of 'Domain Admins'
  'Domain Admins' is a member of the local Administrators group on SERVER-A
  So 'domainadmin' is in essence a member of the local Administrators group on SERVER-A.
  YET:
  When logged in to SERVER-A as 'domainadmin', from a command prompt:
  c:\del test.txt (a file created by 'localadmin')
  Access is denied.
  c:\iisreset
  Access denied,
  This user is a member of the local Administrators group - why can he not function as an Administrator?

• How do I have an exe in a logon script run as a different user (either a domain admin or even the local system account)

  So, I'm having some problems getting a logon script to work.  I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled.  I've tried to convert the .exe
  to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe.  We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to.  Can anyone think of a way around this? 
  I've been searching for days and I'm just lost.  If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect.  Basically what it does is check to see if the process for the
  agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location).  Here's what
  I've got written that works for me in my test environment:
  Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
  Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
  Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
  Const strFolder = "C:\Temp\"
  Const Overwrite = True
  dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
  dim
  'Checks for Kaseya agent process, AgentMon.exe, exits if running
  Set objWMIService = GetObject ("winmgmts:")
  Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
  If proc.count > 0 Then
      WScript.Quit
  End If
  'Instantiate a NIC configuration object
  Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
  'Instantiate a shell object
  Set objShell = CreateObject("wscript.shell")
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  'Create Temp Dir if it doesn't exist
  If Not objFSO.FolderExists(strFolder) Then
      objFSO.CreateFolder strFolder
  End If
  For Each arrNIC in objNIC1
      if arrNIC.IPEnabled then
          StrIP = arrNIC.IPAddress(i)
          strMask = arrNIC.IPSubnet(i)
          Set WshNetwork = WScript.CreateObject("WScript.Network")
      end if
  next
  Function NetworkID(Address, Mask)
      Dim AddressOctets, MaskOctets, Result, N
      AddressOctets = Split(Address, ".")
      MaskOctets = Split(Mask, ".")
      ReDim Result(UBound(AddressOctets))
      For N = 0 To UBound(AddressOctets)
          Result(N) = AddressOctets(N) And MaskOctets(N)
      Next
      NetworkID = Join(Result, ".")
  End Function
  Select Case NetworkID(strIP,strMask)
      Case "192.168.0.0"
      ' Kaseya install commands for 192.168.0.0 subnet
      objFSO.CopyFile strAgent1, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup1.exe"
      Case "192.168.1.0"
      ' Kaseya install commands for 192.168.1.0 subnet
      objFSO.CopyFile strAgent2, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup2.exe"
      Case "192.168.2.0"
      ' Kaseya install commands for 192.168.2.0 subnet
      objFSO.CopyFile strAgent3, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup3.exe"
      Case Else
      ' Some sort of error checking. Maybe a BLAT SMTP command to send an email
  End Select
  Set objWMIService = Nothing
  Set objNIC1 = Nothing
  Set objShell = Nothing
  Set WshNetwork = Nothing
  Wscript.quit

  You need to read the documentation carefully:
  The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called
  KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.
  Including Credentials in Agent Install Packages
  If necessary, an agent install package can be created that includes an administrator
  credentialto access a customer network. Credentials are only necessary if users are installing
  packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.
  ¯\_(ツ)_/¯

• Admin lock out of guest loggin

  I am the admin and i have locked myself out of my guest profile. How do i reset the password to have access again. I tried by changing it in the admin profile and i had no luck. Help thanks

  Hi Ray,
  Which version of the portal are you running? You should be able to remove the Edit Own Profile activity right from the Everyone group. If you are getting errors saying that it is locked, try going to the "Release Item Locks" utility and see if you can unlock the group from there. Then remove the activity right from the group.
  Once you have that done, I would recommend creating a new group that is equivalent to the Everyone group, minus the custom guest user. Then re-add the activity right to this new group, so that everyone else can still edit their own profiles. What this will do is remove the Edit User Profile link from the My Account page for the custom guest user.
  However, as you mentioned, a malicious user could figure out the URL and go to the editor directly. This is a bug and will be fixed in the next release. If you need to prevent users from such access to the editor, it will require you to customize the UserProfileEditorModel to check for the activity right when the editor first starts.
  Another option is to remove Read rights for the custom guest user from each Property's ACL. The guest user will still be able to get to the editor, but because he doesn't have Read rights, he won't be able to edit anything. The only other thing is that he won't be able to View User Profile. But I'm guessing that since it's a guest user, there won't be much useful profile information anyways, right?
  Let me know how these options work for you, and I can help you with whichever solution you choose.
  Jennifer

• Quick answer needed - user/admin locked out.

  A friend on a trip is all of a sudden asked to log in to her G4 laptop running Tiger. As far as she is aware no changes to settings have been made.
  She does not have the install disks with her.
  How can she get this sorted?
  She is in a place where mac's aren't standard and there is no apple center near by.
  Cheers

  A quick follow up:
  She gets the following message on the screen:
  apple Darwin/bsd (localhost) (console)

• What would be the impact of changing Enterprise and Domain admin password

  Hello,
  I'm planning to change the Enterprise/Domain Admin's password for some security reasons. I do not know what all will fail, what are all the process is going to be impacted. Actually I don't want to see the bigger impact after changing
  the password.
  I've gone thru' few articles but it's in Powershell where I have the limited knowledge & can't customize the script.
  Is there a tool or a way to scan the LAN/Servers and get a clear output where these users accounts (Domain & Enterprise Admin) being used, especially windows services wise, and all other dependencies?
  Can anybody help?
  Regards,
  MSK

  Hello
  As far as I have experienced by changing the enterprise admin password there will be no impact on the environment, not event on
  Services.msc console. But resetting an account is a different story. If you change the user account, services which relies on the user will be updated automatically but by resetting the password you have to manually enter the password on each
  service.
  Also I am thinking about if you use remote desktop with saved credentials to connect to DC's as enterprise admin, you may experience account lockout problems. So wise move is to create another account as member of enterprise admins group and keep it safe
  with a strong password and save it for a rainy day. In that case if the original enterprise admin locked out due to incorrect logons you have a gold key to overcome the situation.
  Regards.
  Mahdi Tehrani Loves Powershell
  Please kindly click on Propose As Answer or to mark this post as
  and helpfull to other poeple.

• Unable to start vmms service as an domain admin user

  I am not able to bring up the Hyper-V manager service on 2012 ssytem as a domain admin user Failure encountered is "Error 1297: A privilege that the service requires to function properly does not exist in the service account configuration".
  Secondly,
  If we bring up Hyper-V manager service as local system user then connection from SCVMM2012R2 is failing with  "Contact the virtual machine manager administrator to verify that your account is a member of a valid user role and then try the oepration
  again ID:1604"

  Hi,
  "If we bring up Hyper-V manager service as local system user then "
  You set the VMM service  logon as "local system account "  then the service can run but scvmm can not connect to it ?
  Please check :
  1 . if domain admins group exists in local administrators group
  2.  this service should be set to start automatically and logon as "local system account"
  Then please refe to following link :
  http://www.itguy.gr/2011/12/anoying-you-cannot-access-vmm.html
  Hope this helps
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Domain Admin access to workstations

  A relatively simple question yet I haven't found any firm answers.
  We have a 2008 R2 domain with all 2008 R2 servers/DC's running Windows 7 workstations. I want to know if a user that is a member of the domain admin security group has LOCAL admin access to any workstation that is joined to the domain
  BY DEFAULT (no GPOs applying, no scripts running at logon, etc)?

  Hi,
  to my knowledge and observation the domain admins group is always added to the local administrators group as part of the domain join process. So yes, domain admins are local admins unless do something against it.
  Regards,
  Lutz

• User Accounts in Domain Admins group do not have full administrative rights to the server

  Our server was fine until recently one day we lost admin access for admin user accounts. If we log in to the server with the Domain Admin account, this account has full admin access to the server and can install and launch all programs and even all server
  admin tools. If we log into the server with a user account which is in the Domain Admins group, that account cannot install software or launch Services.MSC. Even IE will not load any page and crash with a "Not Responding" Error.
  The server has no viruses we even ran SFC /SCANNOW and it did repair from corrupted files but that didn't fix the issue.
  Any ideas?

  Hi Rick,
  May be UAC is blocking installtion. Have it disabled and see if it helps.  Ensure you have domain admin groups added into local administrators group.
  Alos Check these links please.
  https://social.technet.microsoft.com/Forums/en-US/b5300f28-6a2a-4760-8b80-97a2da0f87c1/2012-domain-admin-user-cannot-install-programs-on-a-domain-windows-7-pc?forum=winserverDS
  https://social.technet.microsoft.com/Forums/en-US/0ca040de-52ac-4259-bf78-c22436fd04d4/domain-users-with-domain-admins-right-cannot-install-programs-or-open-server-manager?forum=winserverDS
  Thanks,
  Umesh.S.K

• Domain admin accounts locks out constantly

  Hello.
  My boss has a domain admin account that keeps locking out, and we can't figure out why. We can tell from the domain controller logs that krbtgt is the *offending* service, and it is coming from a sql server that we have. In looking over the server, we can't
  find where any passwords might be stored that would be trying to pass this automatically. We've even manually removed any profile information for this account that we could find. If I reset the account, I can then log into the server with his account and everything
  is fine, but after logging out the account locks again.
  Does anybody have any ideas for how to fix this?
  If it helps, the EventID is 4771 and the Status that gets returned is 0x12

  I have something that can help you enabling netlogon logging on all DCs.
  1. Make a list of DCs and save it in a text file called dcs.txt (you can do that by running netdom query DC).
  2. Download psexec.exe from sysinternals
  3. Then run the following to enable logging:
  for /f %i in (dcs.txt) do psexec \\%i c:\windows\system32\nltest.exe /dbflag:0x2080ffff
  4. Take the log files all in your place:
  for /f %i in (dcs.txt) do copy /y \\%i\admin$\debug\netlogon.log .\%i.netlogon.log
  5. then search for wrong passwords:
  type *.netlogon.log |findstr /i 0xC000006A > badpasswords.txt
  6. Disable netlogon logging:
  for /f %i in (dcs.txt) do psexec \\%i c:\windows\system32\nltest.exe /dbflag:0x0

• Visual Studio Test Controller recovery locks out the user domain account, cannot log into PC

  On the recovery tab of the Visual studio Test controller Services properties dialog, there are three recovery settings:
  First Failure, Second failure and Subsequent failures. The default settings for these options is to "Restart the Service". I changed my domain password this morning, restared the PC and could not log in because the Visual Studio Test Controller
  service tried to restart with the wrong credentials in an infinite loop. This resulted in my account with the domain controller getting locked out. The delay between service restarts was very quick and I could not login and stop the service. The kind admin
  fellow logged in  to the PC and changed the service settings.
  Is there a place where the recovery service restart interval can be changed to prevent this situation?

  Hi bcautest1,
  >>I changed my domain password this morning, restared the PC and could not log in because the Visual Studio Test Controller service tried to restart with the wrong credentials in an infinite loop. This resulted in my account with the domain controller
  getting locked out.
  You said that you couldn't log in, do you mean that you couldn't log in your machine or others?
  If you change the domain password, generally we could open the Test Controller configuration and change the logon account for this service.
  But if you mean that you couldn't log in your windows now, I'm afraid that it is not the test controller and Agent issue, it would be the windows issue, because it still has this issue even if you use other servers.
  Reference:
  https://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
  Like the following documents here:
  http://stackoverflow.com/questions/4468677/domain-account-keeping-locking-out-with-correct-password-every-few-minutes
  Maybe the Window support forum would be better for you:
  https://social.technet.microsoft.com/Forums/windows/en-US/home?forum=w7itprosecurity
  If I misunderstood this issue, please feel free to let me know.
  Best Regards,
  Jack 
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Adding a domain user to the admin role within the local user management breaks all metro apps for all users!!

  Hi,
  I have posted this in another large thread under the "Windows 8 General" group but have not had any appropriate feedback from MS.
  After hours of testing and working with other users I have managed to isolate a simple situation that breaks all metro ui applications within Windows 8 for all users on the machine. Here are my exact steps and notes.
  Before continuing if you are running Avast then your solution may be to turn of the behaviour shield functionality as this also breaks metro apps. This is NOT the problem we are having!
  I have performed 3 cleans installs after isolating the problem and am able to reproduce the issue every time using the same steps on two different machines. 
  First thing to say is that for us it has nothing to do with simply joining the domain, domain/group policies nor does it appear to have anything to do with the software we installed, the problem here is much more simple but the result is pretty terrible.
  Here are my exact steps of what I did to reproduce our problem:
  Complete format of HDD in preperation for a clean install
  Clean install performed
  Set up the machine initially with a local account
  Test metro apps - all working fine
  Open control panel from the desktop, click on System, change the system to join the domain, click reboot
  Log into the system using my domain account
  Test metro apps - all working fine
  Here's were the problem starts. I need my domain account to have admin rights on the local machine so I can install programs without the IT men having to come over and enter their password every 5 mins.
  I go to control panel via the desktop and click on User Accounts. From with here I then click on "Manage User Accounts". This requires the IT guys to enter their details to give me access to such functionality. This is fine
  In the dialog box that opens I can only see the local user that was initially created during setup. The "Group" for this local account shows as "Administrators" - Image included below (important to note that metro apps are working at this point)
  I click add and then add my domain account - also giving it administrator access
  Sign off or reboot to ensure the new security is applied
  Sign back in to the domain account
  Test metro - ALL BROKEN
  Sign out
  Sign in as local account
  Test Metro - NOW ALL BROKEN FOR THIS USER ALSO
  So as soon as I add my domain account to the local user accounts and set it as admin it breaks all metro apps for all users. This is on a totally clean install with nothing at all installed other than the OS.
  Annoyingly if I go back and change the domain account to a standard user or if I totally remove the domain account from the local account management system the problem does not go away for either user. basically it is now permanently broken. The only fix I
  could fathom was a full re install and not giving the domain user admin access to the local  machine.
  Screen one - this is the local user accounts window AFTER joining the domain and logging in with my domain account (All metro apps working at this point)
  Screen 2: User accounts AFTER joining the domain and AFTER adding domain account to local user management (METRO BROKEN)
  I have isolated my machine from all group policies so nothing like that is affecting me. Users I have spoken to in different companies have policies that automatically add users to the local user management. This means that metro apps break as
  soon as they join the domain which leads them to wrongly think it is group policies causing the error. Once they isolate themselves from this they can reproduce following my steps.
  Thanks

  Hi Juke,
  Thank you for the response and apologies for the delay in getting back to you. My machine was running a long task so I couldn't try your suggested solution.
  I had already tried running the registry merge suggested at the top of the thread to no avail. I had not tried deleting the OLE key totally so I did that and the problem still exists. I will post all the errors I see in event viewer below. For
  your info, since posting my initial comment I have sent out my steps to 7 different people and we can all reproduce the problem. This comes to 10 different machines (3 of them mine then the other guys) in 3 different businesses / domains. We see the same errors
  in event viewer.
  Under "Windows Logs" --> "Application" : I get two separate error events the first reads "Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: The app didn't start. See the Microsoft-Windows-TWinUI/Operational log for additional
  information." The second arrives in the log about 15 seconds after the first and reads "App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time."
  Under "Windows Logs" --> "System" : I get one error that reads "The server Windows.Store did not register with DCOM within the required timeout."
  Under "Applications And Services Logs" --> "Microsoft" -->  "Windows" --> "Apps" --> "Microsoft-Windows-TWinUI/Operational" : I get one error that reads "Activation of the app winstore_cw5n1h2txyewy!Windows.Store for the
  Windows.Launch contract failed with error: The app didn't start."
  If you require any further information just let me know and I will provide as much as I can.
  Thanks

• Built in domain administrator... locked out?

  PART-1
  Today our built in domain administrator got locked out. From what I've read this is not possible. We were alerted on it and when I opened the object it said it was locked out. (I'll admit, I didn't try logging in with it). I double checked and the objects
  SID does indeed end in -500 which is indicative of it being the built in account.  
  I ran this query:
  $BA=(get-addomain).domainsid
  $BA.tostring() + "-500"
  and the only result I got back was the SID that matched the user in question.
  What's going on? Was it truly locked out? I guess we will run a test tomorrow but I wanted to reach out to the forums too.
  PART-2
  Once this account was locked out we went to the source server and found that it was no longer on the domain. Instead it was in a workgroup that had a name that resembled our domain. I checked the event log and there were a ton of errors with event ID 4097
  that said "The machine [machine-name] attempted to join the domain [FQ-domain-name]\[FQDN-of-PDC] but failed. The error code was 1326". These errors correspond with the time that the account was locked out. There were a ton of them...
  The account that was originally used to join this machine to the domain was the built in admin above (I know, not best practice). Regardless, why would it switch from domain to a workgroup? Why would it attempt to auto re-join? And why would it use the account
  originally used to join the domain? 

  I have found my answers...
  Part 1:
  The built-in administrator will get locked out and marked as locked out - however, when you go to log in with it, it will AUTOMATICALLY unlock the account. So essentially it cannot be locked out but it will give off the impression that it is.
  you can however disable the account. .... supposedly if you ever have to recover your domain in restore mode it will enable the account for you... .never had an opportunity to test that and I hope I don't
  Part 2:
  This is a vmware related issue. The machine tried to re-run custom specs. Please see the following vmware article if you are having the same issue.
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2078352
  This is related to deploying machines with custom specs in 5.1 with hosts on build 1743533 (ESXi 5.1 patch 4)

• Remote user received a "deny log on locally" policy - and is now locked out

  Hello,
  A traveling user who received a "deny log on locally" policy remotely.
  He was accidentally added to a wrong group and is now locked out. 
  What are the steps to clear this policy?  We have a backup local admin account I can remote into.
  I appreciate any suggestions or comments. 

  > What are the steps to clear this policy?  We have a backup local admin
  > account I can remote into.
  Resolve the wrong setting, remote into the machine and issue "gpupdate
  /target:computer". Reboot and go ahead :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))