I am not happy at this point. I have a user that I added to the Domain Admins group. He is the president of the company so I did what he asked.
I knew it was a mistake. He added the Domain Admins to the Domain Guests group. He neglected to tell me this. He just said hmm the CRM just stopped working. Well that was the first symptom of what was going on. I log in I get Access denied errors when I access active directory. I can't even look at any of the accounts. I used the trusty showgrps.exe and low and behold administrator is a member of the Domain admin. Right now I am looking at having to rebuild this server or remove AD from the domain and rebuild it from scratch since I didn't have a back up since I am just getting this server up and running.
My question is this. Is there a script or command that will remove an account from a certain group? Maybe in safe mode or AD restore mode?
The worse case senario is rebuild this server, exchange, SQL, and the CRM. I can say goodbye to my weekend. Can I punch the president in the face? Maybe I should let him do this work. Leave some nice words on the white board for him. :-/