Avatar of pooky73
pooky73Flag for United Kingdom of Great Britain and Northern Ireland asked on

Disabled Administrator account on Domain Controller

Hi,

I created 2 new admin accounts which have domain admin and enterprise admin accounts on a domain controller, disabling the old administrator account.

Unbeknown to me, the person that installed the server used Group Policy to lock down access to the old administrator account only. Interactive login is not allowed on the 2 other domain admin accounts. This is a local policy.

I can access the server in safe mode and active diectory restore mode, but this client has not had a backup for a week (I don't believe new accounts have been created) but when running in either of these modes, the tape device drivers are not loaded.

To make matters worse, the previous person stated that the only person that can access PC's is the administrator account for the domain NOT domain admins. Was going to use the admin pack/dsa to re-enable the account to get in and remove the policies.

Is there a way I can disabled group policy (Registry/remove policy files) to disable it? or does anyone know a way to get back into this server?

The guy who installed it is not available to conatct for the moment.

Kind regards

A very frustrated/hairless techie.
Active Directory

Avatar of undefined
Last Comment
pooky73

8/22/2022 - Mon
Sinder255248

Can you run DSA.msc from a member server?  If so edit the Default Domain Controller Policy and change the following settings:

Computer Config > Security Settings > local policies > user rights assignments >

Allow logon locally
Allow logon through terminal services

Add the Domain Admins into both of those policy settings, and when the policy re-applies you should be good to go.

Sinder255248

If you can't logon to the server as administrator you should be able to create a shortcut to MMC on the desktop and use the runas to run it up as one of your domain admins.
Sinder255248

If you do get MMC loaded as a domain admin, you could also load in the Group policy snap-in, and when it asks local or remote, you could select remote and enter the DC.  If you're running as a domain admin it should allow you to run up the local policy and you can make changes to that if you'd prefer..  The Default Domain Controller Policy will overwite any local policy though so I'd be tempted to go down that route.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
pooky73

The problem I have is the f**kwad who installed this server, has removed domain admins from all the pc's attached to the network and just put in domain\administrator and local\administrator.

He has locked down the desktops so that u cant run mmc or the admin pak.

A suggestion I have had is to log into the server (Which i can do in safe mode or AD restore), navigate to sysvol and delete all the policies, it will then recreate default policies.

Do you think this will work?

Thanks for your quick replies
Sinder255248

Nope I wouldn't do that as it stores policies in the Configuration partition aswell...  

What about trying this to restore overwrite the local security settings:  

secedit /configure /db reset /cfg "c:\windows\security\templates\setup security.inf" /overwrite

This should apply the security that was applied at setup.  

If you can reset the security on an XP machine and logon as a domain admin you could run up DSA.msc and play with the default domain controller policy.

ASKER
pooky73

Will that work in AD Restore mode as that and safe modes are the only way I can log into the server?

Also i do not have any loal administrator access for the PC's.

This is looking bad I know :-(
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Sinder255248

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
pooky73

I am thinking of that as another alternative. As soon as I have tried both of these options I will let you know but I am not due back there until next monday. As long as I can block the policy from being applied when I join it to the domain, it may work. However, if I do that on a DC, I won't be ablt to log in locally.

I'm resigning myself to rebuild the server over a weekend :-(
ASKER
pooky73

Sinder,

just to let you know, I have tried the
secedit /configure /db reset /cfg "c:\windows\security\templates\setup security.inf" /overwrite

On a test DC and it worked fine. As soon as I have applied this to the DC at the customers site, i'll post the points.

Many thanks for your help.

Matt
ASKER
pooky73

Hi,

just to let you know, I managed to join a pc to the domain and then run dsa and re-enable the account, I have since changed the policy.

Many thanks for your help.

Matt
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck