Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How to edit Local Security Policy from recovery console

12 Apr 2011   #1
SamCPP

Win7 x64 Ultimate SP1
 
 
How to edit Local Security Policy from recovery console

Hi is it possible to fix/repair local security policy from the recovery console? This is on a Win7 x64 Ultimate machine.

I inadvertently stuffed the setting for "Access this computer from the network" by removing "Everyone" but not adding Authenticated Users before applying and can't login locally or remotely to my PC. For some reason there aren't any restore points either (my other PC with Win7 x64 Ultimate has many and I don't remember explicitly disabling or enabling on either PC).

Only thing I can do with it is access my network shared folders ironically!

Any assistance would be greatly appreciated.


My System SpecsSystem Spec
.
12 Apr 2011   #2
Bill2

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

If you have a Windows 7 installation DVD or a system repair disk, you can boot the system with it. Select the default language, then choose "Repair your computer". Then select "Command Prompt". At the command prompt type:

net user administrator /active:yes

Hit Enter.

Remove the DVD, reboot the computer, and log into the built-in Administrator account.Then undo the changes.
My System SpecsSystem Spec
12 Apr 2011   #3
SamCPP

Win7 x64 Ultimate SP1
 
 

Awesome thanks for the quick reply. Will try it now.
My System SpecsSystem Spec
.

12 Apr 2011   #4
SamCPP

Win7 x64 Ultimate SP1
 
 

It's rejecting the admin account login attempts saying the username or password is not valid.

If I try my other admin or user accounts I still get the message
"You can not log on because the log on method you are using is not allowed on this computer".

I tried the ntrights tool from the Win2k3 Server Resource Kit and that didn't work as it doesn't work with x64 machines apparently.

Any other ideas? Don't suppose you know what reg keys to edit? I can get to that at least!
My System SpecsSystem Spec
12 Apr 2011   #5
Bill2

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

The admin account that you unlocked with the "net user..." command is the builtin admin with a blank password. Did you get a command completed successfully message when you hit Enter? Also, when you rebooted, you should have seen 2 login icons- one or more for your regular accounts and one for the builtin Admin. Clicking on the Admin icon should get you inside windows.

Are you the owner/administrator of this computer? Do you set the security policies?

Other than that, its possible to edit the registry offline and make changes there but I'm not sure how exactly. Its also possible to copy the backup registry hives from the folder C:\windows\system32\config\regbak to C:\windows\system32\config folder. That'll restore the registry to a day or 2 ago. You can try doing that from the win7 dvd/repair disk command prompt.
My System SpecsSystem Spec
12 Apr 2011   #6
SamCPP

Win7 x64 Ultimate SP1
 
 

Quote   Quote: Originally Posted by Bill2 View Post
The admin account that you unlocked with the "net user..." command is the builtin admin with a blank password. Did you get a command completed successfully message when you hit Enter? Also, when you rebooted, you should have seen 2 login icons- one or more for your regular accounts and one for the builtin Admin. Clicking on the Admin icon should get you inside windows.
I'll give it another try. I might have locked it out with password attempts.

Quote:
Are you the owner/administrator of this computer? Do you set the security policies?
Sadly yes. I was playing with Local Security Policies and did something I shouldn't have obviously. I was thinking it was either I removed "Everyone" from the "Access this computer from the network" or I removed "Users" from "Logon locally".

Quote:
Other than that, its possible to edit the registry offline and make changes there but I'm not sure how exactly. Its also possible to copy the backup registry hives from the folder C:\windows\system32\config\regbak to C:\windows\system32\config folder. That'll restore the registry to a day or 2 ago. You can try doing that from the win7 dvd/repair disk command prompt.
Just trying this one now actually. A fair few of the other methods found on google don't work on Win7 x64 recovery console!
My System SpecsSystem Spec
12 Apr 2011   #7
SamCPP

Win7 x64 Ultimate SP1
 
 

Getting late here. I'm going to have to give up until tomorrow! Thanks for your help. Still got to retry the Administrator login one again.
My System SpecsSystem Spec
13 Apr 2011   #8
SamCPP

Win7 x64 Ultimate SP1
 
 

Well got an update. I can get to my secpol.msc now and edit the local security policy. Can't work out how to allow myself in though so just need to work out what the error message implies about my security settings.

The way I got in was using Harry Johnston's guide to "Resetting a password in Windows 7 or Windows Vista" - Resetting a password in Windows 7 or Windows Vista Harry Johnston's Blog

My administrator password is correct but still getting the error message:

"You cannot log on because the method you are using is not allowed on this computer"

when trying to logon locally and this for RDP:

"To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this your, you must be granted this right manually."
My System SpecsSystem Spec
13 Apr 2011   #9
SamCPP

Win7 x64 Ultimate SP1
 
 

SUCCESS! The issue was actually a pretty obscure one. Somehow the HomeGroup group was added to Deny Logon locally and my administrator account and user account were both members of that group. I'm sure I didn't touch that group at all but all good now.
My System SpecsSystem Spec
Reply

 How to edit Local Security Policy from recovery console




Thread Tools




Similar help and support threads
Thread Forum
Local security policy in windows 7
Hi guys, Need your guidance in understanding Local security policy 1) I have configured local security policy in windows 7 professional under run-->secpol.msc--> Securuity policies-->Account policy---->Password policy a) Minimum password length is set to 8 characters b) Password must meet...
General Discussion
Local Security Policy
Hi Im wondering if someone can help me disable the run command in windows 7 local security policy for local users, i can apply a number of different setting but i can seem to the policy for run command thanks
General Discussion
Local Security Policy problem
Hello I am using Windows 7 Ultimate x64 and trying to change a few simple policy's' I am currently the only user on the computer. When I open the Local Security Policy editor I get no useful settings or options.
Network & Sharing
Local Security Policy Recommended Changes?
Hi there. (1st time poster, long time reader) Would would you recommmend changing (for security reasons) from the original default settings in local security policy. I'm connecting directly to a modem with a single PC that's not used for file sharing or remote use etc. Thanks for any...
System Security
Group Policy Editor or Local Security Policy
Will either of these allow me to restrict drive access to a single user only? I've tried to restrict drive access with Group Policy Editor but it applies the restriction globally--even to me the administrator. Could anyone let me know if this is possible and how to do it? Much thanks.
System Security
Cannot find local security policy
Hey guys, I'm using windows 7 ultimate,I recently found that in my administrative tools, there is no "local security policy". I tried to add the snapin through mmc there also i cannot find local security policy. should i register any .dll file? Any help would be appreciated... :)
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:55.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App