Removing Domain Controller Policy Denying Administrators Logon Access on ADS
Posted on 2003-03-24
Here's a mouth watering one for you, and a should provide a good laugh if anything.
On a single domain control Win2k server a set of documents where encrypted using EFS for added security. In fact the administrator was so security minded that she completely lockdown the system as much as possible using every possible Group Policy on every possible level and OU. So much so that she even denyed herself logon access to the one and only server (with the one and only admin account), rebooted the system and could no longer logon.
The documents are ironically business critical and available on a shared folder, so they are visible from the network to any other user, but sadly not avaiblable for access or copying in any way whatsoever.
So, she still has the admin password, but can't logon with it, can see the files using any user account, but can't open them due to the EFS encryption whose key is held by the one and only admin account. The key is intact, the account exists, just not accessible and the files are visible, but you can't copy them or do anything else with them, because access is denied.
No other account exists with any level of control on the system, (i.e. only 1 admin account and the rest are user accounts). No backup, no way out except to remove the restrictions on the admin loggin so that the files maybe decrypted and things put to rights.
Should anyone have time after rofl, and have a bright spark of an idea, please help the poor soul.
A kind and carring boyfriend!