A while back, a new administrator reset some computers' account passwords (i.e., not users' account passwords) in my company's domain. The next day, no one could log on to these machines. Users received the error message You do not have the right to log on to this computer. The computers even rejected members of their own local Administrators group.
I tried using the computers' local Administrator accounts to log on, but I received the same error message. To make matters worse, my boss couldn't log on to his notebook. (The administrator hadn't reset my boss's computer's account password.)
Our Group Policy—based security policy hadn't changed in the past month, so I couldn't figure out what was causing the problems. I suspected that some settings were corrupt, but I didn't know how I would reset them because I couldn't log on.
Finally, I accessed the computers through the network. I started the Telnet service and used a Telnet session to connect to the troublesome computers. Then, I entered
secedit
/refreshpolicy machine_policy
/enforce
at the remote machine's command prompt to force the computer to reapply the Group Policy from the domain controller—DC. (I needed to use the Secedit command because Windows 2000 doesn't reapply Group Policy if the policy hasn't changed.)
Users were then able to log on again—except my boss, whose computer still denied him access. I searched the Microsoft Knowledge Base and didn't find an obvious solution, although the Microsoft article "How to Set Logon User Rights by Using the NTRights Utility" (http://support.microsoft.com/?kbid=315276) gave me the idea to try the Microsoft Windows 2000 Server Resource Kit's Ntrights utility. I opened a command prompt on a different computer and entered
ntrights +r SeInteractiveLogonRight -u
"everyone" -m \\<bosscomputer>
Voilà! The system accepted my boss's logon attempt.
I'm still not sure what caused the logon problems. In addition, I don't know what I would have done if I hadn't been able to connect to the systems remotely.