troubleshooting Question

GPO problems: no access to Netlogon or TS

Avatar of cvservices
cvservicesFlag for United States of America asked on
Active DirectoryMicrosoft Server OS
7 Comments2 Solutions1333 ViewsLast Modified:
Hello all,

I work at district with 36 sites, and about 25 Child domains (yes i know it's crazy, but I inherited this, and working on fixing it).
We are running Active Directory 2000, with mixed servers running Windows 2000 server and Windows Server 2003.

As of yesterday, we had something happen , which I still can't pin point, but our default domain policy got corrupted somehow, and the scope of it got reduced to only one OU that we had within the scope. (Authenticated Users was no longer there). essentially, I no longer had a default domain policy.

I managed to restore that, and I ran the Default Domain Policy restore tool which I got from the MSFT site, since I didn't have many special perms in the default domain policy, it wasn't a big deal to do so. (I did do a system state backup prior).

As of last night, I was having some issues logging to my domain controllers, to which I came down to adding the administrators group back into the Allow Logon Locally, and Allow Logon Through Terminal Services.

This morning, suddenly, all access was gone again. I am not able to access the servers via RDP. Windows 2003 servers return the following error:
"To log on to this remote console session, you must have administrative permissions on this computer"
and on Windows 2000 Servers I get the following error:
"You do not have access to logon to this session"

From searching for this error, it all referred to the previously mentioned GPO for the domain controllers, which, in my case, is already setup correctly.

Couple things I noticed within that process:
1- the enterprise admin user is the only one that is still able to login to the domain controllers
2- I no longer seem to have access to write my NETLOGON directories on the domain controllers with my domain admin users. I have read access, but no write access. I get an access denied. this happens with all domain admins.

I'm still not quite sure what else has been broken, but not being able to write to netlogon sounds like a pretty big problem to me. (as an admin of course)

So, would anyone have any ideas as to what may be happening. I'm afraid that if I don't resolve some things quickly here, I'm going to have some major replication issues, which I'm assuming I'm probably already having right now, and at one point I'm going to completely crash and burn. so any help would be greatly appreciated!!

If you have any ideas on how to trouble the source of the problem, as I'm running out of ideas, and google is sort of sending me in circles about the issue.

Thanks in advance for your assistance!

Here's an update which may be relevant,
I noticed that the users, (other than my enterprise admin), are being automatically removed from my "Builtin\Administrators" group. even after I add them, this is the second time that I re-add them, and they get removed.

Though, I don't think that should affect Domain Admins TS logons to the servers, as I have added the Domain Admins group to the Allow Logon Locally, and Allow Logon Through Terminal Services.


Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros