Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Removing Domain Controller Policy Denying Administrators Logon Access on ADS

Posted on 2003-03-24
Medium Priority
Last Modified: 2013-12-04
Here's a mouth watering one for you, and a should provide a good laugh if anything.

On a single domain control Win2k server a set of documents where encrypted using EFS for added security. In fact the administrator was so security minded that she completely lockdown the system as much as possible using every possible Group Policy on every possible level and OU. So much so that she even denyed herself logon access to the one and only server (with the one and only admin account), rebooted the system and could no longer logon.

The documents are ironically business critical and available on a shared folder, so they are visible from the network to any other user, but sadly not avaiblable for access or copying in any way whatsoever.

So, she still has the admin password, but can't logon with it, can see the files using any user account, but can't open them due to the EFS encryption whose key is held by the one and only admin account. The key is intact, the account exists, just not accessible and the files are visible, but you can't copy them or do anything else with them, because access is denied.

No other account exists with any level of control on the system, (i.e. only 1 admin account and the rest are user accounts). No backup, no way out except to remove the restrictions on the admin loggin so that the files maybe decrypted and things put to rights.

Should anyone have time after rofl, and have a bright spark of an idea, please help the poor soul.

A kind and carring boyfriend!
Question by:NeonKnight

Expert Comment

ID: 8199391
Ahhhh...EFS strikes again!!!

This article may help in resetting the user rights in group policy to the defaults.


Good Luck :)


Expert Comment

ID: 8205779
If she can access the adminsitartive share from another workstation \\servername\C$, she can browse to the C:\Winnt\System32\Gropu Policy folder.  If she modifies the rights on the folder so she still has full control, but does not have read or execute access, the polices will not apply to her.  

I am not sure this will cure the local policy inforce denying her ability to login.  Hopefully terminal services is installed, she could access the Domain Controller Security policy through a Terminal Services session.

Accepted Solution

NeonKnight earned 0 total points
ID: 8223730
Ok, sorry for the delay, and many thanks for your help guys but...

... this is what has happened (I am posting this in the hope that it will be of some use to anyone else).

GH & MSG: your pointers were very helpful unfortunately, it required that you had some sort of backdoor user with some rights/terminal server, etc. I porbably hadn't explained that there was only one other user on the system and unfortunately he was merely a domain user.

I probably hadn't explained that the server was being setup (out of the box) and the first and only server on the domain. No rights had been set-up for anyone else but the Admin and the deny logon was applied to the whole Admin group. The files that were encrypted under the Admin login were on a share but you could not touch them.

Basically, the machine was locked down tighter than... Anyway, here's what I did...

 *** Method 1 - DID NOT WORK ***
1) I got my g/f to bring the machine home from work.
2) Following the I then attempted to create new group templates on another machine.
3) Luckily, the security options: <Recovery Console: Allow automatic administrative logon> and <Recovery Console: Allow floppy copy and access to all drives and all folders> were enabled - amazingly!
4) I copied the new templates using the recovery console... HOWEVER:
5) On applying the new templates (as per MS Knowledge Base article 226243 above)... things didn't go quiet to plan!

Reason: No rights to modify group policy using secedit or any other means.

 *** Method 2 - DID WORK ***

After attempting to play about with .adm .pol .inf and such files and policies etc. both through the use of the recovery console and safe logon, etc...

The only option for me was to do the following:
1) I took the machine apart and removed the hard drive!
2) I placed the drive in another Win2K machine as a slave - it had to be another NTFS machine.
3) I purchsed a copy of the most excellent - Advanced EFS Data Recovery tool (AEFSDR), $99 from:
4) As I had the following from my g/f:

   a.The admin user name and password,
   b.The intact keys on the original drive
   (both required by AEFSDR)

   I was able to decrypt all the business critical files and make lots of back-ups of them.
5) I rebuilt the machine and returned it to my g/f with a lot of ZIP disks full of data.

I hope my g/f's story and plight will serve as a lesson to other's (sadly I fear it will not)!
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.


Expert Comment

ID: 8224063
I hope you created a backup admin account.   Hopefully she will start taking policies more seriously, they are one of Microsfts steps (small) toward building a secure OS.  EFS is about the only really secure thing they have made, and if you use it you better know how it works and have a backup key!

I would post a request under community support with a copy of the URL to this question to get it closed, that is if Ghost Hacker does not object.

Expert Comment

ID: 8225791
No objection from me! Thanks for posting the solution to your problem. That's one to file away. :-)

Expert Comment

ID: 9070620
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question