We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

URGENT! - Playing Group P;olicies and just prevented TS logins

jasgot
jasgot asked
on
Medium Priority
193 Views
Last Modified: 2010-04-18
I am trying to organize my GPO's and just stopped the ability to log in through terminal services.

Comment
Watch Question

Commented:
Hi,

I think that the best way to see exactly what you did and where you did it is to use the Resultant Set of Policies MSC. Launch RSOP.MSC and take a close look at the results. You should see where exactly you disabled TS access, and be able to modify the corresponding GPO accordingly.

HTH
Cheers
Or you can look at the effect on a client due to GPO by using the GUI based Group Policy Management utility...you can download this here:  http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Author

Commented:
I ran the RSOP, I expanded every tree item and don't see anything that would prevent it. I also do not see a way to dump the rsop for you to see.


As for the GPMU, that's what I was using!!!!!! I guees I'm pretty brain dead if that easy to use tool confused me :)

Author

Commented:
Allow log on through terminal services is populated with "authenticated users" and "Remote Desktop users"

Author

Commented:
The Administrator can't even log on. Good thing I am currently logged in!
GPMU: run a REPORT....this is how you will be able to see the effect.    
highlight the "Group Policy Results" folder in the GPM... then right click...run the wizard...  you will see its pretty easy...

Author

Commented:
Am I running into a delay problem?  I just changed a setting, reran the report and it didn't show up. but when I went back into GP, my change was there.
probably....  the GPO doesn't get updated immediately on the client machines... you can run GPUDATE /force to force the client to look to the domain and apply any GPO's immediately.
How many GPO's do you have?

Surely you know the one you changed, right?  Just click on the settings tab to see what all was set.  You can highlight the settings and paste them here if you want us to figure it out.

Author

Commented:
Well..... I think I have a mess.

This is what my GPO Tree looks like:
[Domain.Local]
     Default domain Policy
     Windows Updates
     Domain Controllers
        Default domain Controllers Policy
     Shutdown and Logoff/On Policy
        Logon and Shutdown Permissions
     Group Policy Objects
        Classic
        Default Domain Controllers Policy
        Default domain Policy
        Equifax
        Logon and Shutdown Permissions
        QB
        Windows Updates
     WMI Filters


What would you like to see?

Author

Commented:
This may not be a TS issue, it's telling evry user, including the admin to check and make sure the username and password are correct

Author

Commented:
No more help?
Group Policy Objects
        Classic
        Default Domain Controllers Policy
        Default domain Policy
        Equifax
        Logon and Shutdown Permissions
        QB
        Windows Updates

That's the list of GPOs.

Do you know which one you changed?

Author

Commented:
I added the Logon and Shutdown and Windows Update GPO, I may have changed the Classic and two Defaults...

Commented:
unlink them one at a time....after you unlink one run gpupdate /force check if you can logon....
inside the GPMC go down to the group policy modeling section, and right click and run the GPM wizard.  Run a simulation based on a user you are having problems with and post the results here.

Author

Commented:
I couldn't select a single user, only the group it says the specified user could not be found in the active directory.

Author

Commented:
All my users are gone. How could I have deleted all my users while in the GPMU?
did you select the User tab in the GPM wizard?

It should be:

User Information > User  (not container)

Then browse > type a user name like jsmith

Then click "skip to end" at the bottom and run it.

Author

Commented:
But there are no users. Not even in AD users and Computers
Ummm.... Whoa.

Nothing you can do in GPMC would have caused that...


Is this the only domain controller?  If it wasn't something you did (meaning delete the users somehow), there should be plenty of eventvwr errors.
Kevin HaysIT Analyst
CERTIFIED EXPERT

Commented:
Man, that isn't good at all.  Did you mess with anything in the default domain policy,such as security settings in there?  Sounds like you have issued a "deny" on something for the everyone group from what you are saying.  Even though we know GPO wouldn't have done that you could have set the wrong setting in the default domain policy though.

Any DNS issues?  

kshays
Engineer
CERTIFIED EXPERT
Commented:
What's your most recent system state backup on a DC before you made the changes?  You might need to perform an authoritative restore of your system state (ie, AD plus a few other things) in order to get this back if things are really spiriling quickly.

See "Performing an Authoritative Restore of Active Directory Objects": http://technet2.microsoft.com/WindowsServer/en/Library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Last night.
I agree with jebeckham, that if you have a good verified backup of the DC, and it's your only DC, then I would restore from backup and not mess with going through us for the next few days without a full resolution.

Author

Commented:
I thought a AD restore was really simple, after reading those docs at technet, I'm worried I'll be in a bigger mess.

I have already recreated the users. So they are logged in and operational (somewhat).  No I have a many minor issues and still have the inability to play flash on websites......
jasgot,

I would really consider calling a local IT consulting company and having them come in and look at your DC and network.  It's not that I (can't speak for other EE members) mind helping, but it's very hard to diagnose the issues here.

You'll have to give us eventlog errors, program errors, etc. etc.  The more technical information the better.  Also, you'll need to make sure you post the issues separately if possible in their respective Topic Areas.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.