Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

URGENT! - Playing Group P;olicies and just prevented TS logins

Posted on 2006-03-30
28
Medium Priority
?
176 Views
Last Modified: 2010-04-18
I am trying to organize my GPO's and just stopped the ability to log in through terminal services.

0
Comment
Question by:jasgot
  • 13
  • 7
  • 4
  • +4
28 Comments
 
LVL 9

Expert Comment

by:vsg375
ID: 16336048
Hi,

I think that the best way to see exactly what you did and where you did it is to use the Resultant Set of Policies MSC. Launch RSOP.MSC and take a close look at the results. You should see where exactly you disabled TS access, and be able to modify the corresponding GPO accordingly.

HTH
Cheers
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16336160
Or you can look at the effect on a client due to GPO by using the GUI based Group Policy Management utility...you can download this here:  http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
0
 

Author Comment

by:jasgot
ID: 16336213
I ran the RSOP, I expanded every tree item and don't see anything that would prevent it. I also do not see a way to dump the rsop for you to see.


As for the GPMU, that's what I was using!!!!!! I guees I'm pretty brain dead if that easy to use tool confused me :)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jasgot
ID: 16336235
Allow log on through terminal services is populated with "authenticated users" and "Remote Desktop users"
0
 

Author Comment

by:jasgot
ID: 16336264
The Administrator can't even log on. Good thing I am currently logged in!
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16336274
GPMU: run a REPORT....this is how you will be able to see the effect.    
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16336378
highlight the "Group Policy Results" folder in the GPM... then right click...run the wizard...  you will see its pretty easy...
0
 

Author Comment

by:jasgot
ID: 16336393
Am I running into a delay problem?  I just changed a setting, reran the report and it didn't show up. but when I went back into GP, my change was there.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16336454
probably....  the GPO doesn't get updated immediately on the client machines... you can run GPUDATE /force to force the client to look to the domain and apply any GPO's immediately.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16336470
How many GPO's do you have?

Surely you know the one you changed, right?  Just click on the settings tab to see what all was set.  You can highlight the settings and paste them here if you want us to figure it out.
0
 

Author Comment

by:jasgot
ID: 16336529
Well..... I think I have a mess.

This is what my GPO Tree looks like:
[Domain.Local]
     Default domain Policy
     Windows Updates
     Domain Controllers
        Default domain Controllers Policy
     Shutdown and Logoff/On Policy
        Logon and Shutdown Permissions
     Group Policy Objects
        Classic
        Default Domain Controllers Policy
        Default domain Policy
        Equifax
        Logon and Shutdown Permissions
        QB
        Windows Updates
     WMI Filters


What would you like to see?
0
 

Author Comment

by:jasgot
ID: 16336705
This may not be a TS issue, it's telling evry user, including the admin to check and make sure the username and password are correct
0
 

Author Comment

by:jasgot
ID: 16336975
No more help?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16337033
Group Policy Objects
        Classic
        Default Domain Controllers Policy
        Default domain Policy
        Equifax
        Logon and Shutdown Permissions
        QB
        Windows Updates

That's the list of GPOs.

Do you know which one you changed?
0
 

Author Comment

by:jasgot
ID: 16337361
I added the Logon and Shutdown and Windows Update GPO, I may have changed the Classic and two Defaults...
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 16337421
unlink them one at a time....after you unlink one run gpupdate /force check if you can logon....
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16337431
inside the GPMC go down to the group policy modeling section, and right click and run the GPM wizard.  Run a simulation based on a user you are having problems with and post the results here.
0
 

Author Comment

by:jasgot
ID: 16337519
I couldn't select a single user, only the group it says the specified user could not be found in the active directory.

0
 

Author Comment

by:jasgot
ID: 16337528
All my users are gone. How could I have deleted all my users while in the GPMU?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16337583
did you select the User tab in the GPM wizard?

It should be:

User Information > User  (not container)

Then browse > type a user name like jsmith

Then click "skip to end" at the bottom and run it.
0
 

Author Comment

by:jasgot
ID: 16337627
But there are no users. Not even in AD users and Computers
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16338440
Ummm.... Whoa.

Nothing you can do in GPMC would have caused that...


Is this the only domain controller?  If it wasn't something you did (meaning delete the users somehow), there should be plenty of eventvwr errors.
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 16338538
Man, that isn't good at all.  Did you mess with anything in the default domain policy,such as security settings in there?  Sounds like you have issued a "deny" on something for the everyone group from what you are saying.  Even though we know GPO wouldn't have done that you could have set the wrong setting in the default domain policy though.

Any DNS issues?  

kshays
0
 
LVL 9

Accepted Solution

by:
Jeff Beckham earned 2000 total points
ID: 16339599
What's your most recent system state backup on a DC before you made the changes?  You might need to perform an authoritative restore of your system state (ie, AD plus a few other things) in order to get this back if things are really spiriling quickly.

See "Performing an Authoritative Restore of Active Directory Objects": http://technet2.microsoft.com/WindowsServer/en/Library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx
0
 

Author Comment

by:jasgot
ID: 16339890
Last night.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16342574
I agree with jebeckham, that if you have a good verified backup of the DC, and it's your only DC, then I would restore from backup and not mess with going through us for the next few days without a full resolution.
0
 

Author Comment

by:jasgot
ID: 16342708
I thought a AD restore was really simple, after reading those docs at technet, I'm worried I'll be in a bigger mess.

I have already recreated the users. So they are logged in and operational (somewhat).  No I have a many minor issues and still have the inability to play flash on websites......
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16343431
jasgot,

I would really consider calling a local IT consulting company and having them come in and look at your DC and network.  It's not that I (can't speak for other EE members) mind helping, but it's very hard to diagnose the issues here.

You'll have to give us eventlog errors, program errors, etc. etc.  The more technical information the better.  Also, you'll need to make sure you post the issues separately if possible in their respective Topic Areas.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question