Solved

Cannot access Domain Controller or Domain Group Policy Objects

Posted on 2004-10-19
42
816 Views
Last Modified: 2009-03-18
Environment: Windows 2003 Enterprise /IIS 6.0 web server- all critical updates

The problem DC holds the FSMO roles in a domain with 2 other DCs. AD integrated DNS.

I made some changes to my Domain Security Policy and the local Domain Controller Security Policy on the FSMO DC.(the same entries were changed in the DC GPO And the Domain GPO at the same time). Don't ask me which ones at this point, although I did enable the Rename Administrator Account which I think is causing some problems :)

I am signed in as administrator. Now I can't get to either the DC or Domain GPO so I can make changes. The system has locked me out. I tried a reboot with F8, Domain Controller recovery in Safe Mode but it didn't work. I am still locked out of the GPOs.

I am getting 1202 SceCli errors with an error code of 0x4b8, but there is no specific KB article addressing this problem.

Any suggestions?

0
Comment
Question by:PWyatt1
  • 18
  • 17
  • 7
42 Comments
 
LVL 6

Assisted Solution

by:nihlcat
nihlcat earned 100 total points
Comment Utility
Here's the KB article concerning you error, I had these for a while too because of a renamed guest account:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279432
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
BTW, I figured out my problem was a renamed account by reviewing my C:\WINNT\security\logs\winlogon.log
0
 

Author Comment

by:PWyatt1
Comment Utility
Hi Nihlcat:
Amost got there.
After about 5 minutes on the Group Policy tab, I finally got an error and it asked me to do 1 of 3 choices:

Error was: The Domain Controller for Group Policy Objects is not avalable
Choose one:
The one with the operations master token for the PDC emulator
The one used by AD snap-ins
Use any available DC

BTW. the log confirmed my suspicions. It is the Administrator rename account that appears to be causing the problems.

Any suggestions?
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
I've been told Microsoft says you can have hyphens in your names but it caused my error: 'my-company-guest'.  I took out the hyphens and was fine.  Can you try and name it back to Administrator and see how it goes?  
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks nihlcat:
I'm not sure you understand. I would love to change it but I can't GET to any GPO on this machine, Domain Controller OR Domain GPO. I am locked out.
0
 

Author Comment

by:PWyatt1
Comment Utility
Like an idiot, I renamed the account to Administrator. There are no hyphens in the name.
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Ohhhh!  So you have tried Any Writable Domain Controller?
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Still fixable.  Did you edit the Default Domain policy or the Default Domain Controllers policy?
0
 

Author Comment

by:PWyatt1
Comment Utility
I just tried accessing the domain GPO and the local DC GPOs on my other DCs.  Man, I am locked out of everything!!!!!
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
SYSVOL Location\Domain Name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\MACHINE\Microsoft\Windows NT\SecEdit\gpttmpl.inf

This is your Default Domain policy.  I want you to LOOK in the file and search for a line such as:

NewAdministratorName = "Somename"

That is where your change is being made.  LOOK ONLY for the moment.
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks
Finally got there :) I am on my workstation and  have to keep going over to the server KVM monitor. BTW the name in NewAdministratorName is "Administrators".
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Yeah, that the group policy object you changed.  Making changes in this are is not for the faint of heart.  You should copy the file and leave it right there.  I changed the name in my case, but your problem is slightly different.  The reccomendation is to change the Administrator account to a name that doesn't exist on your network.

http://www.jsiinc.com/SUBE/Tip2400/rh2434.htm

PLEASE back up any file prior to changing it.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 100 total points
Comment Utility

Administrators is a group name, is that what it's trying to set to?
0
 

Author Comment

by:PWyatt1
Comment Utility
For Chris-Dent: All I wanted to do was to allow me (administrator) to change the admin account at any time. That's what I thought this setting was for. Apparently not.

For nihlcat: A couple of questions:
1. Are you saying to make a copy of this file and rename it in the same folder?
2. If I change the admin name to some other name I am assuming that the new name is my new admin user name. Does the password stay the same?

Thanks.
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Yes, the password does not change, and the new Administrator Account name becomes whatever you changed it to in this line:

NewAdministratorName ="newname"

Yes, just to be safe, make a copy of the file and name it as "GPTMPL_COPY.inf"  or something

After your change, you will have to wait patiently for about 5 minutes or go to a command prompt and type:

secedit /refreshpolicy machine_policy
0
 

Author Comment

by:PWyatt1
Comment Utility
OK Guys. Thanks. Let me go to lunch before I start eating my keyboard :) I'll be back in a bit.
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
You'll get it fixed, it's not actually broken that badly.

:)
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

hehe doing well Nihlcat ;)
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Aww shucks.. =)
0
 

Author Comment

by:PWyatt1
Comment Utility
OK. Admin name changed, and I logged in OK. I refreshed the machine policy.
Whoops.....
I still can't get into either DC or domain GPO.

What next?

BTW. I am bumping this up to 200 points. This has taken far too long :)
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Ok, Let's have another quick look at any errors in your winlogon.log and application log (other than 1202 errors, we know about those).
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:PWyatt1
Comment Utility
The only errrors appear to be : Error 1379 - Local Group Already Exists-
error renaming admin account
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
So no errors in the winlogon.log anymore.  Looking back to the beginning here, are you able to accesslocal Domain Controller Security Policy from your Administrative tools?
0
 

Author Comment

by:PWyatt1
Comment Utility
Hey, hey, hey. We is in business (pardon my English).
Now what do I have to reset, and should I do the same for the Domain security policy at the same time?

Phil
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Try doing Start, Run and rsop.msc

That should, in theory, try and process the policy. It is also good at pointing out any errors that occur during policy processing.

What about errors in the Event Log? Specifically Directory Services?
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
?  You are up and running?
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
If you are in your Default Domain Policy, and your Domain Controllers policy, I would make no change at all.  You have successfully renamed your Administrator account.
0
 

Author Comment

by:PWyatt1
Comment Utility
I can get to th local DC security policy, bu I am still locked out of the domain security polity. Also I am locked out of both policy mmcs on the other DCs. In other words, the only thing I have access to is the local DC  policy.
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Ah, I see.  Well, the "Error 1379 - Local Group Already Exists" seems somewhat peculiar to me.  Are you sure the "Rename Administrator account" is all that was changed?  Let's try something in the GPTMPL.inf file you edited before:
Go to the line to rename the Administrator account and let's just comment out that line and refresh the policy.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You may want to consider:

dcgpofix /target:DC

This restores the Default Domain Controller Policy to the original.

This one is Windows 2003 Server only.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
If I have read correctly your renamed 'Administrator' to 'Admin' I don't suppose that this name 'Admin' already exists on you server somewhere...right?
0
 

Author Comment

by:PWyatt1
Comment Utility
I renamed it to Admin2. It is confirmed in the local policies . And, no such luck, I don't have another Admin2 in the network...damn!!!:)
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks Chris-Dent. Let me apply the dcpofix and get back to you all.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

All credit goes to Nihlcat, he did all the work ;)
0
 

Author Comment

by:PWyatt1
Comment Utility
G-r-r-r-r. I have tried entering umpteen different variations:

dcgpofix /target: DC
dcgpofix /target:DC
dcgpofix /target: domainname.com DC
dcgpofiix /target: DC.domainname.com

Nothing seems to work. I keep getting a "parameter is incorrect" in red with all of the variations, above. Also one of the error comments is that I have to be an admin to do this. Is the program checking to see it I have GPO privileges and then finding I don't have the privleges to do this?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

I forget if it's case sensitive. If it doesn't like playing with that you can make it repair both the Default Domain Controller Policy and the Default Domain Policy.

Default Domain Controller Policy only:

dcgpofix /target:dc

Default Domain Policy only:

dcgpofix /target:domain

Both Policies:

dcgpofix
or
dcgpofix /target:both

0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks. The dcgpofix finally running. Guys, I'm going to call this a day. I'm going futz with things tonight then give you an update tomorrow.

Thanks for the help.
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Yep Dinner and a tall beer.  
0
 

Author Comment

by:PWyatt1
Comment Utility
Amen
0
 

Author Comment

by:PWyatt1
Comment Utility
Hi Guys:
The dcgpofix ran and I can now get to my 2 other DC's DC and Domain policies. However, with the FSMO DC, I still have two problems:

1. The Domain and DC policies shortcuts are gone from my administrative tools
2. When I go to C:\WINNT\System32 and try to execute either the DCgpo.msc or the domgpo.msc I get the locked out box.  Are these 2 domain policy executables somewhere else?

Thanks.
0
 
LVL 6

Expert Comment

by:nihlcat
Comment Utility
Can you access the GPs from Start>Programs>Administrative Tools>Active Directory Users and Compuers?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now