Solved

Cannot access Domain Controller or Domain Group Policy Objects

Posted on 2004-10-19
42
857 Views
Last Modified: 2009-03-18
Environment: Windows 2003 Enterprise /IIS 6.0 web server- all critical updates

The problem DC holds the FSMO roles in a domain with 2 other DCs. AD integrated DNS.

I made some changes to my Domain Security Policy and the local Domain Controller Security Policy on the FSMO DC.(the same entries were changed in the DC GPO And the Domain GPO at the same time). Don't ask me which ones at this point, although I did enable the Rename Administrator Account which I think is causing some problems :)

I am signed in as administrator. Now I can't get to either the DC or Domain GPO so I can make changes. The system has locked me out. I tried a reboot with F8, Domain Controller recovery in Safe Mode but it didn't work. I am still locked out of the GPOs.

I am getting 1202 SceCli errors with an error code of 0x4b8, but there is no specific KB article addressing this problem.

Any suggestions?

0
Comment
Question by:PWyatt1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 17
  • 7
42 Comments
 
LVL 6

Assisted Solution

by:nihlcat
nihlcat earned 100 total points
ID: 12349434
Here's the KB article concerning you error, I had these for a while too because of a renamed guest account:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279432
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12349479
BTW, I figured out my problem was a renamed account by reviewing my C:\WINNT\security\logs\winlogon.log
0
 

Author Comment

by:PWyatt1
ID: 12349623
Hi Nihlcat:
Amost got there.
After about 5 minutes on the Group Policy tab, I finally got an error and it asked me to do 1 of 3 choices:

Error was: The Domain Controller for Group Policy Objects is not avalable
Choose one:
The one with the operations master token for the PDC emulator
The one used by AD snap-ins
Use any available DC

BTW. the log confirmed my suspicions. It is the Administrator rename account that appears to be causing the problems.

Any suggestions?
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 
LVL 6

Expert Comment

by:nihlcat
ID: 12349673
I've been told Microsoft says you can have hyphens in your names but it caused my error: 'my-company-guest'.  I took out the hyphens and was fine.  Can you try and name it back to Administrator and see how it goes?  
0
 

Author Comment

by:PWyatt1
ID: 12349716
Thanks nihlcat:
I'm not sure you understand. I would love to change it but I can't GET to any GPO on this machine, Domain Controller OR Domain GPO. I am locked out.
0
 

Author Comment

by:PWyatt1
ID: 12349742
Like an idiot, I renamed the account to Administrator. There are no hyphens in the name.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12349743
Ohhhh!  So you have tried Any Writable Domain Controller?
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12349777
Still fixable.  Did you edit the Default Domain policy or the Default Domain Controllers policy?
0
 

Author Comment

by:PWyatt1
ID: 12349793
I just tried accessing the domain GPO and the local DC GPOs on my other DCs.  Man, I am locked out of everything!!!!!
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12349854
SYSVOL Location\Domain Name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\MACHINE\Microsoft\Windows NT\SecEdit\gpttmpl.inf

This is your Default Domain policy.  I want you to LOOK in the file and search for a line such as:

NewAdministratorName = "Somename"

That is where your change is being made.  LOOK ONLY for the moment.
0
 

Author Comment

by:PWyatt1
ID: 12349968
Thanks
Finally got there :) I am on my workstation and  have to keep going over to the server KVM monitor. BTW the name in NewAdministratorName is "Administrators".
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12350050
Yeah, that the group policy object you changed.  Making changes in this are is not for the faint of heart.  You should copy the file and leave it right there.  I changed the name in my case, but your problem is slightly different.  The reccomendation is to change the Administrator account to a name that doesn't exist on your network.

http://www.jsiinc.com/SUBE/Tip2400/rh2434.htm

PLEASE back up any file prior to changing it.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 100 total points
ID: 12350068

Administrators is a group name, is that what it's trying to set to?
0
 

Author Comment

by:PWyatt1
ID: 12350150
For Chris-Dent: All I wanted to do was to allow me (administrator) to change the admin account at any time. That's what I thought this setting was for. Apparently not.

For nihlcat: A couple of questions:
1. Are you saying to make a copy of this file and rename it in the same folder?
2. If I change the admin name to some other name I am assuming that the new name is my new admin user name. Does the password stay the same?

Thanks.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12350182
Yes, the password does not change, and the new Administrator Account name becomes whatever you changed it to in this line:

NewAdministratorName ="newname"

Yes, just to be safe, make a copy of the file and name it as "GPTMPL_COPY.inf"  or something

After your change, you will have to wait patiently for about 5 minutes or go to a command prompt and type:

secedit /refreshpolicy machine_policy
0
 

Author Comment

by:PWyatt1
ID: 12350216
OK Guys. Thanks. Let me go to lunch before I start eating my keyboard :) I'll be back in a bit.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12350228
You'll get it fixed, it's not actually broken that badly.

:)
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12350337

hehe doing well Nihlcat ;)
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12350495
Aww shucks.. =)
0
 

Author Comment

by:PWyatt1
ID: 12351434
OK. Admin name changed, and I logged in OK. I refreshed the machine policy.
Whoops.....
I still can't get into either DC or domain GPO.

What next?

BTW. I am bumping this up to 200 points. This has taken far too long :)
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12351521
Ok, Let's have another quick look at any errors in your winlogon.log and application log (other than 1202 errors, we know about those).
0
 

Author Comment

by:PWyatt1
ID: 12351616
The only errrors appear to be : Error 1379 - Local Group Already Exists-
error renaming admin account
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12351755
So no errors in the winlogon.log anymore.  Looking back to the beginning here, are you able to accesslocal Domain Controller Security Policy from your Administrative tools?
0
 

Author Comment

by:PWyatt1
ID: 12351800
Hey, hey, hey. We is in business (pardon my English).
Now what do I have to reset, and should I do the same for the Domain security policy at the same time?

Phil
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12351810

Try doing Start, Run and rsop.msc

That should, in theory, try and process the policy. It is also good at pointing out any errors that occur during policy processing.

What about errors in the Event Log? Specifically Directory Services?
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12351811
?  You are up and running?
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12351850
If you are in your Default Domain Policy, and your Domain Controllers policy, I would make no change at all.  You have successfully renamed your Administrator account.
0
 

Author Comment

by:PWyatt1
ID: 12351910
I can get to th local DC security policy, bu I am still locked out of the domain security polity. Also I am locked out of both policy mmcs on the other DCs. In other words, the only thing I have access to is the local DC  policy.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12351975
Ah, I see.  Well, the "Error 1379 - Local Group Already Exists" seems somewhat peculiar to me.  Are you sure the "Rename Administrator account" is all that was changed?  Let's try something in the GPTMPL.inf file you edited before:
Go to the line to rename the Administrator account and let's just comment out that line and refresh the policy.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352035

You may want to consider:

dcgpofix /target:DC

This restores the Default Domain Controller Policy to the original.

This one is Windows 2003 Server only.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12352057
If I have read correctly your renamed 'Administrator' to 'Admin' I don't suppose that this name 'Admin' already exists on you server somewhere...right?
0
 

Author Comment

by:PWyatt1
ID: 12352207
I renamed it to Admin2. It is confirmed in the local policies . And, no such luck, I don't have another Admin2 in the network...damn!!!:)
0
 

Author Comment

by:PWyatt1
ID: 12352223
Thanks Chris-Dent. Let me apply the dcpofix and get back to you all.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352232

All credit goes to Nihlcat, he did all the work ;)
0
 

Author Comment

by:PWyatt1
ID: 12352491
G-r-r-r-r. I have tried entering umpteen different variations:

dcgpofix /target: DC
dcgpofix /target:DC
dcgpofix /target: domainname.com DC
dcgpofiix /target: DC.domainname.com

Nothing seems to work. I keep getting a "parameter is incorrect" in red with all of the variations, above. Also one of the error comments is that I have to be an admin to do this. Is the program checking to see it I have GPO privileges and then finding I don't have the privleges to do this?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352532

I forget if it's case sensitive. If it doesn't like playing with that you can make it repair both the Default Domain Controller Policy and the Default Domain Policy.

Default Domain Controller Policy only:

dcgpofix /target:dc

Default Domain Policy only:

dcgpofix /target:domain

Both Policies:

dcgpofix
or
dcgpofix /target:both

0
 

Author Comment

by:PWyatt1
ID: 12352699
Thanks. The dcgpofix finally running. Guys, I'm going to call this a day. I'm going futz with things tonight then give you an update tomorrow.

Thanks for the help.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12352707
Yep Dinner and a tall beer.  
0
 

Author Comment

by:PWyatt1
ID: 12352875
Amen
0
 

Author Comment

by:PWyatt1
ID: 12358756
Hi Guys:
The dcgpofix ran and I can now get to my 2 other DC's DC and Domain policies. However, with the FSMO DC, I still have two problems:

1. The Domain and DC policies shortcuts are gone from my administrative tools
2. When I go to C:\WINNT\System32 and try to execute either the DCgpo.msc or the domgpo.msc I get the locked out box.  Are these 2 domain policy executables somewhere else?

Thanks.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12358956
Can you access the GPs from Start>Programs>Administrative Tools>Active Directory Users and Compuers?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question