Locked out – No interactive logins!

I did the unimaginable! Friday night, I was playing around with security policies. I had created an account for web applications (WebUser) to be used in IIS about an year back. The account would be displayed on my Windows XP login page as one of the users. I didn’t know how to switch that off until recently. So I went into Local Security Policy and denied interactive login rights to this user. I again went in and was looking for another user and accidentally choose Administrators. But I thought I cancelled out the policy. However, it appears I didn’t. After I came back to laptop after 1/2 hour or so, the I couldn’t get past the Windows Locked dialog.

I had tons of personal data. My wife and son were also using the laptop. Their accounts were part of Administrators groups and I couldn’t get in. Even though I knew the passwords for our accounts and that of the Administrator, I couldn’t login. My nigthmare was only starting. I didn’t remember the login password for the WebUser account. So guessing this password was my way out. However much I tried for a few hours late Friday, I couldn’t remember this password. After all it has been an year since I had created the account and had never used it. Hence I didn’t remember it.

I called Dell Support and the technician quickly asked me some questions. He really didn’t understand what Interactive logon was when I said I was trying to deny this right to a user. However, he suggested my only option was to re-install the O/S. I said I will get back to him as I wanted to be sure.

My research started on Google. I found out that there is a tool ntrights.exe that can take away rights from the command prompt. You need to run this from another computer on the network. I dug up my old Windows2000 laptop; I knew it was on the same network. However, I couldn’t see my XP laptop in the network neighborhood. I thought this was because I had changed my home network setting recently. So I waited till Rama went to her center Saturday morning to get her XP back. This was definitely on the same network.

Still the same problem. I couldn’t see my laptop from hers. What had happened was in trying out several things, I had rebooted my laptop and without a valid login, there was no IP address assigned. This was my thought.

I further found out the tool ‘Offline Windows registry editor’. This tool can reset the password for any user and even make a user an Administrator from the command prompt. To get to the command prompt, you need a Windows boot CD. Luckily this tool came on a bootable CD. I was delighted to see the list of users on my laptop. I reset the password for WebUser and in a Senior moment, I also made the user an Administrator. Suddenly I realized I wouldn’t be able to login as Administrators were denied Interactive Logon rights! I had screwed myself up pretty badly.

I even found the ‘Ultimate Boot CD’. It’s password reset tool didn’t help. I ran into a driver not found issue. Finally Saturday evening I ended up called Dell Support again and had to re-init my laptop. My backup from 5 months ago saved my a lot of further nightmares. Luckily I do most of my work on my work laptop and hence I didn’t really loose too much data. All through I had the peace of mind that my media files were safely backedup.

So here are a few lessons learnt.
– Every dollar you spend on a good backup system/software is worth it. I have to external hard drivers with 250GB and 500GB capacity. One Western Digital and one Seagate.
– Having a external drive and not backing up regularly is like shooting yourself in the foot with a nice gun! Backup at least weekly. Put it on an automatic schedule. Let it run through the night. It is worth every cent you spend on energy.
– You can use a bigger capacity flash drive to backup personal documents more regularly if the complete or incremental backup is time consuming and you can’t get it to start for any reason.
– If you lock yourself out of a system, don’t reboot until you know for sure. You might be able to get onto the system remotely.
– Get hold of the ‘Offline Registry editor’ tool and keep the Ultimate Boot CD handy.

Comments need to be approved by the Admin before being published.