OxygenITSolutions
asked on
Restricted Groups in 2008 Server - Locked Domain Admins out through Group Policy
Client added Administrator groups to Restricted groups in Group Policy.
Now admins cannot log in to Domain controller.
Workaround anyone?
Now admins cannot log in to Domain controller.
Workaround anyone?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried to do runas?
Ex:
runas /user:domain\administrator
Should be able to issue that command when you login as a regular user and elevate your priviliges. You might be able to do this also.
runas /user:domain\administrator
Enter the password for the DA account and then do this one.
net localgroup administrators domain\administrator /add
Replace domain with your domain name..
Ex:
runas /user:domain\administrator
Should be able to issue that command when you login as a regular user and elevate your priviliges. You might be able to do this also.
runas /user:domain\administrator
Enter the password for the DA account and then do this one.
net localgroup administrators domain\administrator /add
Replace domain with your domain name..
Do you have an account that is a member of the group policy Creator owner?
You can use this account to modify the GPO and reverse what was done.
Administrator is a member of this group, but you need to have GPMC locally installed.
Are you able to log into a server (non DC) that has GPMC installed on it?
login as domain\administrator and run GPMC you can then reset the restricted group policy to add domain admins to the Administrators group and you should be set.
As kshays pointed out, but use gpmc.msc as the command to rn
runas /user:administrator@domain
Once you have GPMC running, you should be able to use the group policy results wizard to locate the GPO that restricts the Administrators group and you would have to edit it to add the accounts that should be members of this group.
You can use this account to modify the GPO and reverse what was done.
Administrator is a member of this group, but you need to have GPMC locally installed.
Are you able to log into a server (non DC) that has GPMC installed on it?
login as domain\administrator and run GPMC you can then reset the restricted group policy to add domain admins to the Administrators group and you should be set.
As kshays pointed out, but use gpmc.msc as the command to rn
runas /user:administrator@domain
Once you have GPMC running, you should be able to use the group policy results wizard to locate the GPO that restricts the Administrators group and you would have to edit it to add the accounts that should be members of this group.
ASKER
Although I couldn't use one of the joined laptops, I ended up joining my own XP machine to the Domain and was able to access and manage AD. Saved me a huge hassle. Thanks Very much.
ASKER