?
Solved

Removing Domain Controller Policy Denying Administrators Logon Access on ADS

Posted on 2003-03-24
7
Medium Priority
?
927 Views
Last Modified: 2013-12-04
Here's a mouth watering one for you, and a should provide a good laugh if anything.

On a single domain control Win2k server a set of documents where encrypted using EFS for added security. In fact the administrator was so security minded that she completely lockdown the system as much as possible using every possible Group Policy on every possible level and OU. So much so that she even denyed herself logon access to the one and only server (with the one and only admin account), rebooted the system and could no longer logon.

The documents are ironically business critical and available on a shared folder, so they are visible from the network to any other user, but sadly not avaiblable for access or copying in any way whatsoever.

So, she still has the admin password, but can't logon with it, can see the files using any user account, but can't open them due to the EFS encryption whose key is held by the one and only admin account. The key is intact, the account exists, just not accessible and the files are visible, but you can't copy them or do anything else with them, because access is denied.

No other account exists with any level of control on the system, (i.e. only 1 admin account and the rest are user accounts). No backup, no way out except to remove the restrictions on the admin loggin so that the files maybe decrypted and things put to rights.

Should anyone have time after rofl, and have a bright spark of an idea, please help the poor soul.

A kind and carring boyfriend!
0
Comment
Question by:NeonKnight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8199391
Ahhhh...EFS strikes again!!!


This article may help in resetting the user rights in group policy to the defaults.


http://support.microsoft.com/?kbid=226243


Good Luck :)

0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8205779
If she can access the adminsitartive share from another workstation \\servername\C$, she can browse to the C:\Winnt\System32\Gropu Policy folder.  If she modifies the rights on the folder so she still has full control, but does not have read or execute access, the polices will not apply to her.  

I am not sure this will cure the local policy inforce denying her ability to login.  Hopefully terminal services is installed, she could access the Domain Controller Security policy through a Terminal Services session.
0
 

Accepted Solution

by:
NeonKnight earned 0 total points
ID: 8223730
Ok, sorry for the delay, and many thanks for your help guys but...

... this is what has happened (I am posting this in the hope that it will be of some use to anyone else).

GH & MSG: your pointers were very helpful unfortunately, it required that you had some sort of backdoor user with some rights/terminal server, etc. I porbably hadn't explained that there was only one other user on the system and unfortunately he was merely a domain user.

I probably hadn't explained that the server was being setup (out of the box) and the first and only server on the domain. No rights had been set-up for anyone else but the Admin and the deny logon was applied to the whole Admin group. The files that were encrypted under the Admin login were on a share but you could not touch them.

Basically, the machine was locked down tighter than... Anyway, here's what I did...

 *** Method 1 - DID NOT WORK ***
1) I got my g/f to bring the machine home from work.
2) Following the I then attempted to create new group templates on another machine.
3) Luckily, the security options: <Recovery Console: Allow automatic administrative logon> and <Recovery Console: Allow floppy copy and access to all drives and all folders> were enabled - amazingly!
4) I copied the new templates using the recovery console... HOWEVER:
5) On applying the new templates (as per MS Knowledge Base article 226243 above)... things didn't go quiet to plan!

Reason: No rights to modify group policy using secedit or any other means.

 *** Method 2 - DID WORK ***

After attempting to play about with .adm .pol .inf and such files and policies etc. both through the use of the recovery console and safe logon, etc...

The only option for me was to do the following:
1) I took the machine apart and removed the hard drive!
2) I placed the drive in another Win2K machine as a slave - it had to be another NTFS machine.
3) I purchsed a copy of the most excellent - Advanced EFS Data Recovery tool (AEFSDR), $99 from:
   www.elcomsoft.com
4) As I had the following from my g/f:

   a.The admin user name and password,
   b.The intact keys on the original drive
   (both required by AEFSDR)

   I was able to decrypt all the business critical files and make lots of back-ups of them.
5) I rebuilt the machine and returned it to my g/f with a lot of ZIP disks full of data.

I hope my g/f's story and plight will serve as a lesson to other's (sadly I fear it will not)!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 9

Expert Comment

by:MSGeek
ID: 8224063
I hope you created a backup admin account.   Hopefully she will start taking policies more seriously, they are one of Microsfts steps (small) toward building a secure OS.  EFS is about the only really secure thing they have made, and if you use it you better know how it works and have a backup key!

I would post a request under community support with a copy of the URL to this question to get it closed, that is if Ghost Hacker does not object.
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8225791
No objection from me! Thanks for posting the solution to your problem. That's one to file away. :-)
0
 

Expert Comment

by:CleanupPing
ID: 9070620
NeonKnight:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question