Solved

Gain access to delete account from RSoP

Posted on 2009-03-30
5
658 Views
Last Modified: 2012-06-27
I followed the advice but the security policy sertting options are greyed out so I can not add user/group or remove the user.  TSInternetUser is not showing in active directory but the other offending user is.  That offending user no longer exist on our domain.
0
Comment
Question by:cettech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:kollenh
ID: 24022164
I'm not sure I completely understand your question but let me give it a shot:  You want to edit a domain policy to remove a user?  Is the policy adding a user to a local group on domain computers?  
Regardless of what you want to do, if you're unable to edit a domain policy, it is becuase you lack the proper permissions.  Are you logged in as a domain admin?  Or running the Group Policy Manager as a domain admin?  You are using the Group Policy Management console, right?  If not, go download it before you do anything else: http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
If you are running as a domain admin and still having problems, find the policy in question under "Group Policy Objects" in the GPMC and highlight it.  Then choose the 'Delegation' tab on the right and make sure that the account you're using has "Edit settings" effective permissions.  If not, add it provided you DO have "modify security" permissions.  If you have neither, see if an account listed does have permissions and try using that account and/or contacting that user for assistance.
If I've not cover what you're trying to achieve, please be more specific and I'll do what I can.
HTH
0
 

Author Comment

by:cettech
ID: 24022368
I was adding to comments to another problem that happen in which I am having the same problem... security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
I followed that advice but I'm unable to delete the user since it's greyed out.  Also after further investigation I see that all add accounts under foreign security principals are all just s-XXX icons
0
 
LVL 5

Expert Comment

by:kollenh
ID: 24022603
Still a little unclear exactly what you're trying to do - add/remove accounts I understand but where, inside a policy?  On a policy?  Can you walk me through the steps you take to get to the point of seeing all the "XXX" icons?
0
 

Author Comment

by:cettech
ID: 24022732
Start -> Run -> RSoP.msc
the red X was on Allow log on locally.  Clicked on the properties of that setting and I found a user TSInternetUser listed that is not in my active Directory but the options are greyed out.
I then went into Active Directory Users and Groups, users, search for the TSInternetUser which is not listed.  I proceeded to click on the ForeignSecurityPrincipals only to find that all accounts are just s -XXX.  We had problems with our AD and I'm not sure what built in rights were listed and/or needed.
0
 
LVL 5

Accepted Solution

by:
kollenh earned 500 total points
ID: 24022812
Ok, I see.  You're not really looking at Group Policy with that but rather the resultant set of policies that have been applied.  If I run that on my computer, I get some VERY strange results back, too.
Go to Start --> Administrative Tools --> Group Policy Management.  If you don't have it, download and install it from the link I sent you earlier.  It simplifies GP management in a big way.
Then run 'gpresult' from the command line on your computer and see what policies are being applied.  Work your way through the list in the GPMC until you find the one that is adding that user.  It may be tedious but that should get you what you want.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question