Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

URGENT group policy changes have my system unmanageable

Posted on 2006-05-03
11
Medium Priority
?
296 Views
Last Modified: 2008-02-20
Please Help, im getting desperate!

I made some group policy changes last night to the server (win2003 SBS) and accidentaly denied the administrator account access to any administrative functions, including the gpedit.msc function. Now I cant access Active Directory or anything.

I restored systemstate from the day before, but still have the same group policy in effect for some reason.

This is effecting the entire office and im at a loss for what to do next. Please Help!

Thanks a lot,

Joe
0
Comment
Question by:jkowan11
11 Comments
 
LVL 8

Expert Comment

by:Saineolai
ID: 16599794
What policy setting did you apply and where did you apply it to? If you have any other accounts in the domain admins group they might work still.
0
 

Author Comment

by:jkowan11
ID: 16599854
Thanks for the response

Actualy the server is brand new so the only administrator account is the actual administrator account I used to edit group policies from the gpedit.msc function- I thought I was editing policies just for user accounts, not for administrator or the server, but apparently I was wrong. Now I cant get back into anything. as I setup a pretty tight security policy.

Any idea why the system state restore didnt fix that?

Thanks
0
 
LVL 8

Expert Comment

by:Saineolai
ID: 16600047
What is happening when you launch AD users and computers?  Can you add a user account from the command prompt?  If you use AD users and computers from a Workstation can you access AD?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:jkowan11
ID: 16600078
When I launch it from the server I get told that snapin is restricted due to policy settings. Ask your administrator.

I can get into gpedit.msc on client machines.

How do I add a user from command prompt? and how do I get AD from workstations?

Thanks a lot!
0
 
LVL 5

Assisted Solution

by:mickinoz2005
mickinoz2005 earned 400 total points
ID: 16600357
If you install the Windows 2003 administrators pack you can access most of the Admin functions from a workstation.

http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

You use group policy to edit permissions on workstations not gpedit.msc. GPedit.msc is only for local permissions.

Have a read of this might help not sure though looks more like xp
http://groups.google.ie/group/microsoft.public.windowsxp.security_admin/browse_thread/thread/d5f6348b074b0df7/94283960c047d218%2394283960c047d218

Good Luck

Michael
0
 
LVL 8

Accepted Solution

by:
Saineolai earned 1000 total points
ID: 16600362
Install the Administration tools from the Windows Server CD.  This is not the recommended way to manage an SBS2003 server.  However in this instance it may let you reverse the policies, depending on how access is denied.

http://www.jsifaq.com/SUBO/tip7300/rh7329.htm

provides details on adding a user from the command prompt.  However depending on where the policy is applied a new user may not get around this.

Can you let us know what errors are appearing, and which policy/settings you edited?
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 600 total points
ID: 16600627
The reason that system state restore doesn't fix that is because the Group Policies are not stored in the System State... they are files which are stored in the Windows File structure.  And there's a bit of bad news to go along with that... they can't be restored from NT Backup because they are in the SYSVOL.

So... have you note created any other users yet?  And can you not create any additional users due to this problem?

If you can't create any other users, you probably won't be able to fix this without either reinstalling or creating a new Administrative user with a PreWindows Boot CD.  I've done this before with UBCD4WIN and it works quite well.  

Go to http://www.ubcd4win.com and follow the instructions to create a BOOT CD.  Then you can run PasswordRestore to create a new Admin user.

To be honest, this will take just about as long as reinstalling from scratch... and could leave you with small permissions issues that would trouble you later on.  Personally, i'd reinstall.

Jeff
TechSoEasy
0
 

Author Comment

by:jkowan11
ID: 16606383
Thanks a lot for the help guys!

It appears im pretty much screwed.

I tried adding a "test" user from the cmd prompt and got this error:

C:\Documents and Settings\Administrator>dsadd user "CN=Test,CN=Administrators,CN
=Domain Admins"
dsadd failed:CN=Test,CN=Administrators,CN=Domain Admins:No superior reference ha
s been configured for the directory service. The directory service is therefore
unable to issue referrals to objects outside this forest.
type dsadd /? for help.
C:\Documents and Settings\Administrator>

I was hoping not to have to go onsite since its a three hour drive, but I guess im out of options unless anyone knows why I cant use the cmd prompt to do this? If I could add an administrator account from the cmd prompt, or enable an account I know is administrator but is disabled I could save 50 bucks in gas and a waste of a beautiful day or two...

Thanks a lot guys!
0
 
LVL 8

Expert Comment

by:Saineolai
ID: 16606465
The syntax should be like this

dsadd user "CN=Test,CN=Users,DC=DomainName,DC=com"

Where the Active Directory domain name is domainname.com

The issue with adding another user into the Users OU is that the user will then most likely have the group policy applied to them.
0
 

Author Comment

by:jkowan11
ID: 16606478
Ah I see, so how would I add a user to the Administrators group? Is that possible?
0
 

Author Comment

by:jkowan11
ID: 16606699
Update: I managed to enable another administrator account that had been disabled previously, however, its still got the same messed up group policy as the original administrator account. Looks like im making the drive =(
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question