administrator locked out of SBS 2003

I think I have managed to lock the administrator out of logging onto our SBS
03 server.
Whilst installing VMware server 2, the installation kept failing reporting
"System Administrator has set policies to prevent this installation." ....I
was logged on as administrator. To resolve this problem I followed a
suggestion to access the local security policy and amend. As it was an SBS 03
box, I had to create a new blank policy in the Domain controller security
policy, and the change the properties to enforce for all users except
administrators. This then allowed the VMware server installation to complete.
I have restarted the server numerous times after this installation 2 days
ago. For some reason today when I try to log on to the server as
administrator at the console I now get "The local policy of this system does
not permit you to log on interactively."

Any suggestions would be greatly appreciated.

PS. I do have a system state backup from before the VMware server upgrade
and any issues were experienced.
Thanks in advance.

have you tried logging in remotely? what about safemode?
do you have any other admin accounts set up?

Check if any deny inlcudes any group that the user is a member of. Deny
overrides allow, even for administrators

Two things to try. One create a new user, then add to the domain admins
group. Try to logon to the console using this account.

Second, see which groups the administrator is a member of and post back
here.

If you edited a GPO that's the cause of this, safe mode won't help. What
happens if you just log into the SBS remotely and disable the new policy?
Then open a cmd prompt and do gpupdate /force - can you then log in locally
to the server?

Hi Dave,
There was no disable, so I deleted the policy. Performed the gpupdate /force
and tried unsuccessfully to logon at the console. Same error "The local
policy of this system does not permit you to log on interactively"
I also checked the user access rights whilst there and permit logon locally
is allowed for administrators, and deny logon locally does not include the
administrators.

No I made sure of that when I did my checks... compared it to another SBS box
I administrate, all exactly the same after the deletion of the software
restriction policy.
I was going to have a search of the GPO's over the weekend and hope I find
something.
Even the VMware KB's as I've all ready discovered the server V2.0 will not
run with RRAS running, though its not documented.

The domain controller security policy > software restriction policy.
I created a new policy and then in the properties of the new policy selected
"applies to all users except administrators" That allowed the installation of
VMware server to complete.

I have since deleted this policy.

Did you do this for the user or the computer settings of the GPO?

What restrictions did you configur within the software restriciton policy?

Did you do this by direction of a VMWare document or guidance from a blog?

Deleting a policy does not necessarily undo the settings that were applied.

1. Administrative tools\Domain controller security settings > there is no
user settings there.
2. "applies to all users except administrators"
3. This is a known issue when installing VMware server 2.0, I was guided by
a link to the document on the VMware site.

Here are the release notes
http://www.vmware.com/support/server...vmserver2.html
Third issue in the know issues list.

Which then lead me to this following post:-

This worked perfectly for me - I was having issues installing the latest
VMWare 2.0 RC1 on Win 2K3 Enterprise, getting the policy error and these
steps solved the problem for me and I was able to install just fine.

This worked for me:
Click Start -> Control Panel
Open Administrative Tools
Open Local Security Settings
Click Software Restriction Policies
If no software restrictions are defined, right click the Software
Restriction Policies node and select New Software Restriction Policy
Double click Enforcement
Select "All users except local administrators"
Click OK
Reboot the machine

OK, so I followed your links and the references and see where only the
enforcement was set. My suspicion is that the policy change 'tattooed' the
registry and so it remains in effect. You should be able to review the
following article, backup the registry (standard disclaimer applies) and
examine for residuals of your policy change.

http://technet.microsoft.com/en-us/l.../bb457006.aspx

I'm not confident on how best to undo the changes that this had made your
system as I'd have to lab it and test it. I think your best and most
expedient method is to get MS support involved to hang with you through
resolution on this one

I have managed to identify the cause of this issue with the assistance of a
co-worker. The Domain Admins group was a member of the Remote Operators
group. The Remote Operators group by default is included in the "Deny log on
locally" local security policy settings.

Thanks for your help kj and input Joe. Much appreciated.