How to edit Local Security Policy from recovery console

SamCPP · 12 Apr 2011

Hi is it possible to fix/repair local security policy from the recovery console? This is on a Win7 x64 Ultimate machine.

I inadvertently stuffed the setting for "Access this computer from the network" by removing "Everyone" but not adding Authenticated Users before applying and can't login locally or remotely to my PC. For some reason there aren't any restore points either (my other PC with Win7 x64 Ultimate has many and I don't remember explicitly disabling or enabling on either PC).

Only thing I can do with it is access my network shared folders ironically!

Any assistance would be greatly appreciated.

Bill2 · 12 Apr 2011

If you have a Windows 7 installation DVD or a system repair disk, you can boot the system with it. Select the default language, then choose "Repair your computer". Then select "Command Prompt". At the command prompt type:

net user administrator /active:yes

Hit Enter.

Remove the DVD, reboot the computer, and log into the built-in Administrator account.Then undo the changes.

SamCPP · 12 Apr 2011

Awesome thanks for the quick reply. Will try it now.

SamCPP · 12 Apr 2011

It's rejecting the admin account login attempts saying the username or password is not valid.

If I try my other admin or user accounts I still get the message
"You can not log on because the log on method you are using is not allowed on this computer".

I tried the ntrights tool from the Win2k3 Server Resource Kit and that didn't work as it doesn't work with x64 machines apparently.

Any other ideas? Don't suppose you know what reg keys to edit? I can get to that at least!

Bill2 · 12 Apr 2011

The admin account that you unlocked with the "net user..." command is the builtin admin with a blank password. Did you get a command completed successfully message when you hit Enter? Also, when you rebooted, you should have seen 2 login icons- one or more for your regular accounts and one for the builtin Admin. Clicking on the Admin icon should get you inside windows.

Are you the owner/administrator of this computer? Do you set the security policies?

Other than that, its possible to edit the registry offline and make changes there but I'm not sure how exactly. Its also possible to copy the backup registry hives from the folder C:\windows\system32\config\regbak to C:\windows\system32\config folder. That'll restore the registry to a day or 2 ago. You can try doing that from the win7 dvd/repair disk command prompt.

SamCPP · 12 Apr 2011

Bill2 said:

The admin account that you unlocked with the "net user..." command is the builtin admin with a blank password. Did you get a command completed successfully message when you hit Enter? Also, when you rebooted, you should have seen 2 login icons- one or more for your regular accounts and one for the builtin Admin. Clicking on the Admin icon should get you inside windows.

I'll give it another try. I might have locked it out with password attempts.

Are you the owner/administrator of this computer? Do you set the security policies?

Sadly yes. I was playing with Local Security Policies and did something I shouldn't have obviously. I was thinking it was either I removed "Everyone" from the "Access this computer from the network" or I removed "Users" from "Logon locally".

Other than that, its possible to edit the registry offline and make changes there but I'm not sure how exactly. Its also possible to copy the backup registry hives from the folder C:\windows\system32\config\regbak to C:\windows\system32\config folder. That'll restore the registry to a day or 2 ago. You can try doing that from the win7 dvd/repair disk command prompt.

Just trying this one now actually. A fair few of the other methods found on google don't work on Win7 x64 recovery console!

SamCPP · 12 Apr 2011

Getting late here. I'm going to have to give up until tomorrow! Thanks for your help. Still got to retry the Administrator login one again.

SamCPP · 13 Apr 2011

Well got an update. I can get to my secpol.msc now and edit the local security policy. Can't work out how to allow myself in though so just need to work out what the error message implies about my security settings.

The way I got in was using Harry Johnston's guide to "Resetting a password in Windows 7 or Windows Vista" - Resetting a password in Windows 7 or Windows Vista « Harry Johnston's Blog

My administrator password is correct but still getting the error message:

"You cannot log on because the method you are using is not allowed on this computer"

when trying to logon locally and this for RDP:

"To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this your, you must be granted this right manually."

SamCPP · 13 Apr 2011

SUCCESS! The issue was actually a pretty obscure one. Somehow the HomeGroup group was added to Deny Logon locally and my administrator account and user account were both members of that group. I'm sure I didn't touch that group at all but all good now.