[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 870
  • Last Modified:

Cannot access Domain Controller or Domain Group Policy Objects

Environment: Windows 2003 Enterprise /IIS 6.0 web server- all critical updates

The problem DC holds the FSMO roles in a domain with 2 other DCs. AD integrated DNS.

I made some changes to my Domain Security Policy and the local Domain Controller Security Policy on the FSMO DC.(the same entries were changed in the DC GPO And the Domain GPO at the same time). Don't ask me which ones at this point, although I did enable the Rename Administrator Account which I think is causing some problems :)

I am signed in as administrator. Now I can't get to either the DC or Domain GPO so I can make changes. The system has locked me out. I tried a reboot with F8, Domain Controller recovery in Safe Mode but it didn't work. I am still locked out of the GPOs.

I am getting 1202 SceCli errors with an error code of 0x4b8, but there is no specific KB article addressing this problem.

Any suggestions?

0
PWyatt1
Asked:
PWyatt1
  • 18
  • 17
  • 7
2 Solutions
 
nihlcatCommented:
Here's the KB article concerning you error, I had these for a while too because of a renamed guest account:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279432
0
 
nihlcatCommented:
BTW, I figured out my problem was a renamed account by reviewing my C:\WINNT\security\logs\winlogon.log
0
 
PWyatt1Author Commented:
Hi Nihlcat:
Amost got there.
After about 5 minutes on the Group Policy tab, I finally got an error and it asked me to do 1 of 3 choices:

Error was: The Domain Controller for Group Policy Objects is not avalable
Choose one:
The one with the operations master token for the PDC emulator
The one used by AD snap-ins
Use any available DC

BTW. the log confirmed my suspicions. It is the Administrator rename account that appears to be causing the problems.

Any suggestions?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
nihlcatCommented:
I've been told Microsoft says you can have hyphens in your names but it caused my error: 'my-company-guest'.  I took out the hyphens and was fine.  Can you try and name it back to Administrator and see how it goes?  
0
 
PWyatt1Author Commented:
Thanks nihlcat:
I'm not sure you understand. I would love to change it but I can't GET to any GPO on this machine, Domain Controller OR Domain GPO. I am locked out.
0
 
PWyatt1Author Commented:
Like an idiot, I renamed the account to Administrator. There are no hyphens in the name.
0
 
nihlcatCommented:
Ohhhh!  So you have tried Any Writable Domain Controller?
0
 
nihlcatCommented:
Still fixable.  Did you edit the Default Domain policy or the Default Domain Controllers policy?
0
 
PWyatt1Author Commented:
I just tried accessing the domain GPO and the local DC GPOs on my other DCs.  Man, I am locked out of everything!!!!!
0
 
nihlcatCommented:
SYSVOL Location\Domain Name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\MACHINE\Microsoft\Windows NT\SecEdit\gpttmpl.inf

This is your Default Domain policy.  I want you to LOOK in the file and search for a line such as:

NewAdministratorName = "Somename"

That is where your change is being made.  LOOK ONLY for the moment.
0
 
PWyatt1Author Commented:
Thanks
Finally got there :) I am on my workstation and  have to keep going over to the server KVM monitor. BTW the name in NewAdministratorName is "Administrators".
0
 
nihlcatCommented:
Yeah, that the group policy object you changed.  Making changes in this are is not for the faint of heart.  You should copy the file and leave it right there.  I changed the name in my case, but your problem is slightly different.  The reccomendation is to change the Administrator account to a name that doesn't exist on your network.

http://www.jsiinc.com/SUBE/Tip2400/rh2434.htm

PLEASE back up any file prior to changing it.
0
 
Chris DentPowerShell DeveloperCommented:

Administrators is a group name, is that what it's trying to set to?
0
 
PWyatt1Author Commented:
For Chris-Dent: All I wanted to do was to allow me (administrator) to change the admin account at any time. That's what I thought this setting was for. Apparently not.

For nihlcat: A couple of questions:
1. Are you saying to make a copy of this file and rename it in the same folder?
2. If I change the admin name to some other name I am assuming that the new name is my new admin user name. Does the password stay the same?

Thanks.
0
 
nihlcatCommented:
Yes, the password does not change, and the new Administrator Account name becomes whatever you changed it to in this line:

NewAdministratorName ="newname"

Yes, just to be safe, make a copy of the file and name it as "GPTMPL_COPY.inf"  or something

After your change, you will have to wait patiently for about 5 minutes or go to a command prompt and type:

secedit /refreshpolicy machine_policy
0
 
PWyatt1Author Commented:
OK Guys. Thanks. Let me go to lunch before I start eating my keyboard :) I'll be back in a bit.
0
 
nihlcatCommented:
You'll get it fixed, it's not actually broken that badly.

:)
0
 
Chris DentPowerShell DeveloperCommented:

hehe doing well Nihlcat ;)
0
 
nihlcatCommented:
Aww shucks.. =)
0
 
PWyatt1Author Commented:
OK. Admin name changed, and I logged in OK. I refreshed the machine policy.
Whoops.....
I still can't get into either DC or domain GPO.

What next?

BTW. I am bumping this up to 200 points. This has taken far too long :)
0
 
nihlcatCommented:
Ok, Let's have another quick look at any errors in your winlogon.log and application log (other than 1202 errors, we know about those).
0
 
PWyatt1Author Commented:
The only errrors appear to be : Error 1379 - Local Group Already Exists-
error renaming admin account
0
 
nihlcatCommented:
So no errors in the winlogon.log anymore.  Looking back to the beginning here, are you able to accesslocal Domain Controller Security Policy from your Administrative tools?
0
 
PWyatt1Author Commented:
Hey, hey, hey. We is in business (pardon my English).
Now what do I have to reset, and should I do the same for the Domain security policy at the same time?

Phil
0
 
Chris DentPowerShell DeveloperCommented:

Try doing Start, Run and rsop.msc

That should, in theory, try and process the policy. It is also good at pointing out any errors that occur during policy processing.

What about errors in the Event Log? Specifically Directory Services?
0
 
nihlcatCommented:
?  You are up and running?
0
 
nihlcatCommented:
If you are in your Default Domain Policy, and your Domain Controllers policy, I would make no change at all.  You have successfully renamed your Administrator account.
0
 
PWyatt1Author Commented:
I can get to th local DC security policy, bu I am still locked out of the domain security polity. Also I am locked out of both policy mmcs on the other DCs. In other words, the only thing I have access to is the local DC  policy.
0
 
nihlcatCommented:
Ah, I see.  Well, the "Error 1379 - Local Group Already Exists" seems somewhat peculiar to me.  Are you sure the "Rename Administrator account" is all that was changed?  Let's try something in the GPTMPL.inf file you edited before:
Go to the line to rename the Administrator account and let's just comment out that line and refresh the policy.
0
 
Chris DentPowerShell DeveloperCommented:

You may want to consider:

dcgpofix /target:DC

This restores the Default Domain Controller Policy to the original.

This one is Windows 2003 Server only.
0
 
nihlcatCommented:
If I have read correctly your renamed 'Administrator' to 'Admin' I don't suppose that this name 'Admin' already exists on you server somewhere...right?
0
 
PWyatt1Author Commented:
I renamed it to Admin2. It is confirmed in the local policies . And, no such luck, I don't have another Admin2 in the network...damn!!!:)
0
 
PWyatt1Author Commented:
Thanks Chris-Dent. Let me apply the dcpofix and get back to you all.
0
 
Chris DentPowerShell DeveloperCommented:

All credit goes to Nihlcat, he did all the work ;)
0
 
PWyatt1Author Commented:
G-r-r-r-r. I have tried entering umpteen different variations:

dcgpofix /target: DC
dcgpofix /target:DC
dcgpofix /target: domainname.com DC
dcgpofiix /target: DC.domainname.com

Nothing seems to work. I keep getting a "parameter is incorrect" in red with all of the variations, above. Also one of the error comments is that I have to be an admin to do this. Is the program checking to see it I have GPO privileges and then finding I don't have the privleges to do this?
0
 
Chris DentPowerShell DeveloperCommented:

I forget if it's case sensitive. If it doesn't like playing with that you can make it repair both the Default Domain Controller Policy and the Default Domain Policy.

Default Domain Controller Policy only:

dcgpofix /target:dc

Default Domain Policy only:

dcgpofix /target:domain

Both Policies:

dcgpofix
or
dcgpofix /target:both

0
 
PWyatt1Author Commented:
Thanks. The dcgpofix finally running. Guys, I'm going to call this a day. I'm going futz with things tonight then give you an update tomorrow.

Thanks for the help.
0
 
nihlcatCommented:
Yep Dinner and a tall beer.  
0
 
PWyatt1Author Commented:
Amen
0
 
PWyatt1Author Commented:
Hi Guys:
The dcgpofix ran and I can now get to my 2 other DC's DC and Domain policies. However, with the FSMO DC, I still have two problems:

1. The Domain and DC policies shortcuts are gone from my administrative tools
2. When I go to C:\WINNT\System32 and try to execute either the DCgpo.msc or the domgpo.msc I get the locked out box.  Are these 2 domain policy executables somewhere else?

Thanks.
0
 
nihlcatCommented:
Can you access the GPs from Start>Programs>Administrative Tools>Active Directory Users and Compuers?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 18
  • 17
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now