Guest Tim_S Posted February 3, 2008 Posted February 3, 2008 Well, today i applied the KB943485 patch to my SBS 2003 and Standard 2003 server in my domain.... I rebooted and bang... using the administrator (builtin) account would refuse to log in. The error was.... Local Security Policy won't permit interactive login This account would log - in fine before the patch's were applied. I applied KB941644 and KB943485 and I believe that the 485 was the one that changed security settings. I looked in the Domain Controller Security settings and the Administrator account is set to allow local login and it is not denied interactive login in any of the policy groupings.... I could log in using a normal user account that is also in the administrator group just fine. As that was my only means of getting back in... but the server\administrator account was inoperative. The only way I could get the Administrator account to be able to log in locally was to create/set a Domain Security Policy that explicitly allows the administrator to log in locally... If I remove that from the Domain security policy, the Domain Controller Security policy where it is also allowed is rejecting it.... go figure... you think the Administrator account should top all other accounts... but not in this case... geez
Guest Susan Bradley Posted February 3, 2008 Posted February 3, 2008 Re: kb943485 - Dreaded admin not able to log on locally after patch Tim_S wrote: > Well, today i applied the KB943485 patch to my SBS 2003 and Standard 2003 > server in my domain.... > > I rebooted and bang... using the administrator (builtin) account would > refuse to log in. The error was.... > > Local Security Policy won't permit interactive login > > This account would log - in fine before the patch's were applied. > > I applied KB941644 and KB943485 and I believe that the 485 was the one that > changed security settings. > > I looked in the Domain Controller Security settings and the Administrator > account is set to allow local login and it is not denied interactive login > in any of the policy groupings.... > > I could log in using a normal user account that is also in the administrator > group just fine. As that was my only means of getting back in... but the > server\administrator account was inoperative. > > The only way I could get the Administrator account to be able to log in > locally was to create/set a Domain Security Policy that explicitly allows > the administrator to log in locally... If I remove that from the Domain > security policy, the Domain Controller Security policy where it is also > allowed is rejecting it.... > > go figure... you think the Administrator account should top all other > accounts... but not in this case... > > geez > > There's nothing in those patches that would have changed that setting. By any chance did you change the membership of the Administrators? I've seen folks accidentally deny themselves because they add a membership that conflicts.
Recommended Posts