Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Gain access to delete account from RSoP

Posted on 2009-03-30
5
Medium Priority
?
673 Views
Last Modified: 2012-06-27
I followed the advice but the security policy sertting options are greyed out so I can not add user/group or remove the user.  TSInternetUser is not showing in active directory but the other offending user is.  That offending user no longer exist on our domain.
0
Comment
Question by:cettech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:kollenh
ID: 24022164
I'm not sure I completely understand your question but let me give it a shot:  You want to edit a domain policy to remove a user?  Is the policy adding a user to a local group on domain computers?  
Regardless of what you want to do, if you're unable to edit a domain policy, it is becuase you lack the proper permissions.  Are you logged in as a domain admin?  Or running the Group Policy Manager as a domain admin?  You are using the Group Policy Management console, right?  If not, go download it before you do anything else: http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
If you are running as a domain admin and still having problems, find the policy in question under "Group Policy Objects" in the GPMC and highlight it.  Then choose the 'Delegation' tab on the right and make sure that the account you're using has "Edit settings" effective permissions.  If not, add it provided you DO have "modify security" permissions.  If you have neither, see if an account listed does have permissions and try using that account and/or contacting that user for assistance.
If I've not cover what you're trying to achieve, please be more specific and I'll do what I can.
HTH
0
 

Author Comment

by:cettech
ID: 24022368
I was adding to comments to another problem that happen in which I am having the same problem... security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
I followed that advice but I'm unable to delete the user since it's greyed out.  Also after further investigation I see that all add accounts under foreign security principals are all just s-XXX icons
0
 
LVL 5

Expert Comment

by:kollenh
ID: 24022603
Still a little unclear exactly what you're trying to do - add/remove accounts I understand but where, inside a policy?  On a policy?  Can you walk me through the steps you take to get to the point of seeing all the "XXX" icons?
0
 

Author Comment

by:cettech
ID: 24022732
Start -> Run -> RSoP.msc
the red X was on Allow log on locally.  Clicked on the properties of that setting and I found a user TSInternetUser listed that is not in my active Directory but the options are greyed out.
I then went into Active Directory Users and Groups, users, search for the TSInternetUser which is not listed.  I proceeded to click on the ForeignSecurityPrincipals only to find that all accounts are just s -XXX.  We had problems with our AD and I'm not sure what built in rights were listed and/or needed.
0
 
LVL 5

Accepted Solution

by:
kollenh earned 1500 total points
ID: 24022812
Ok, I see.  You're not really looking at Group Policy with that but rather the resultant set of policies that have been applied.  If I run that on my computer, I get some VERY strange results back, too.
Go to Start --> Administrative Tools --> Group Policy Management.  If you don't have it, download and install it from the link I sent you earlier.  It simplifies GP management in a big way.
Then run 'gpresult' from the command line on your computer and see what policies are being applied.  Work your way through the list in the GPMC until you find the one that is adding that user.  It may be tedious but that should get you what you want.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question