URGENT! - Playing Group P;olicies and just prevented TS logins

I am trying to organize my GPO's and just stopped the ability to log in through terminal services.

jasgotAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

vsg375Commented:
Hi,

I think that the best way to see exactly what you did and where you did it is to use the Resultant Set of Policies MSC. Launch RSOP.MSC and take a close look at the results. You should see where exactly you disabled TS access, and be able to modify the corresponding GPO accordingly.

HTH
Cheers
0
NJComputerNetworksCommented:
Or you can look at the effect on a client due to GPO by using the GUI based Group Policy Management utility...you can download this here:  http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
0
jasgotAuthor Commented:
I ran the RSOP, I expanded every tree item and don't see anything that would prevent it. I also do not see a way to dump the rsop for you to see.


As for the GPMU, that's what I was using!!!!!! I guees I'm pretty brain dead if that easy to use tool confused me :)
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

jasgotAuthor Commented:
Allow log on through terminal services is populated with "authenticated users" and "Remote Desktop users"
0
jasgotAuthor Commented:
The Administrator can't even log on. Good thing I am currently logged in!
0
NJComputerNetworksCommented:
GPMU: run a REPORT....this is how you will be able to see the effect.    
0
NJComputerNetworksCommented:
highlight the "Group Policy Results" folder in the GPM... then right click...run the wizard...  you will see its pretty easy...
0
jasgotAuthor Commented:
Am I running into a delay problem?  I just changed a setting, reran the report and it didn't show up. but when I went back into GP, my change was there.
0
NJComputerNetworksCommented:
probably....  the GPO doesn't get updated immediately on the client machines... you can run GPUDATE /force to force the client to look to the domain and apply any GPO's immediately.
0
TheCleanerCommented:
How many GPO's do you have?

Surely you know the one you changed, right?  Just click on the settings tab to see what all was set.  You can highlight the settings and paste them here if you want us to figure it out.
0
jasgotAuthor Commented:
Well..... I think I have a mess.

This is what my GPO Tree looks like:
[Domain.Local]
     Default domain Policy
     Windows Updates
     Domain Controllers
        Default domain Controllers Policy
     Shutdown and Logoff/On Policy
        Logon and Shutdown Permissions
     Group Policy Objects
        Classic
        Default Domain Controllers Policy
        Default domain Policy
        Equifax
        Logon and Shutdown Permissions
        QB
        Windows Updates
     WMI Filters


What would you like to see?
0
jasgotAuthor Commented:
This may not be a TS issue, it's telling evry user, including the admin to check and make sure the username and password are correct
0
jasgotAuthor Commented:
No more help?
0
TheCleanerCommented:
Group Policy Objects
        Classic
        Default Domain Controllers Policy
        Default domain Policy
        Equifax
        Logon and Shutdown Permissions
        QB
        Windows Updates

That's the list of GPOs.

Do you know which one you changed?
0
jasgotAuthor Commented:
I added the Logon and Shutdown and Windows Update GPO, I may have changed the Classic and two Defaults...
0
MazaraatCommented:
unlink them one at a time....after you unlink one run gpupdate /force check if you can logon....
0
TheCleanerCommented:
inside the GPMC go down to the group policy modeling section, and right click and run the GPM wizard.  Run a simulation based on a user you are having problems with and post the results here.
0
jasgotAuthor Commented:
I couldn't select a single user, only the group it says the specified user could not be found in the active directory.

0
jasgotAuthor Commented:
All my users are gone. How could I have deleted all my users while in the GPMU?
0
TheCleanerCommented:
did you select the User tab in the GPM wizard?

It should be:

User Information > User  (not container)

Then browse > type a user name like jsmith

Then click "skip to end" at the bottom and run it.
0
jasgotAuthor Commented:
But there are no users. Not even in AD users and Computers
0
TheCleanerCommented:
Ummm.... Whoa.

Nothing you can do in GPMC would have caused that...


Is this the only domain controller?  If it wasn't something you did (meaning delete the users somehow), there should be plenty of eventvwr errors.
0
Kevin HaysIT AnalystCommented:
Man, that isn't good at all.  Did you mess with anything in the default domain policy,such as security settings in there?  Sounds like you have issued a "deny" on something for the everyone group from what you are saying.  Even though we know GPO wouldn't have done that you could have set the wrong setting in the default domain policy though.

Any DNS issues?  

kshays
0
Jeff BeckhamEngineerCommented:
What's your most recent system state backup on a DC before you made the changes?  You might need to perform an authoritative restore of your system state (ie, AD plus a few other things) in order to get this back if things are really spiriling quickly.

See "Performing an Authoritative Restore of Active Directory Objects": http://technet2.microsoft.com/WindowsServer/en/Library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jasgotAuthor Commented:
Last night.
0
TheCleanerCommented:
I agree with jebeckham, that if you have a good verified backup of the DC, and it's your only DC, then I would restore from backup and not mess with going through us for the next few days without a full resolution.
0
jasgotAuthor Commented:
I thought a AD restore was really simple, after reading those docs at technet, I'm worried I'll be in a bigger mess.

I have already recreated the users. So they are logged in and operational (somewhat).  No I have a many minor issues and still have the inability to play flash on websites......
0
TheCleanerCommented:
jasgot,

I would really consider calling a local IT consulting company and having them come in and look at your DC and network.  It's not that I (can't speak for other EE members) mind helping, but it's very hard to diagnose the issues here.

You'll have to give us eventlog errors, program errors, etc. etc.  The more technical information the better.  Also, you'll need to make sure you post the issues separately if possible in their respective Topic Areas.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.