Improve company productivity with a Business Account.Sign Up

x
?
Solved

how to undo authenticated users denied access on AD

Posted on 2012-04-10
7
Medium Priority
?
567 Views
Last Modified: 2012-04-11
Hi guys,

I was trying to prevent access to AD to standard users and by mistake I gave authenticated ussers denied access to AD, now I cannot access AD with any of my domain or enterprise admins. what can I do to undo that action? Please I need help as soon as possible.. thanks in advance!!
0
Comment
Question by:goodwill1
  • 3
  • 2
  • 2
7 Comments
 

Author Comment

by:goodwill1
ID: 37830221
Hi guys, I got it fixed.. my heart is pumping again!! i was scared already. what I did I disconnect the PDC from the network that was the server I did the change. when I go to my secondary server the changed was not sync yet so I added authenticated users and gave it full access to AD. then I restarted the PDC DC and login again and did a manual sync and all was back up again. I was able to go to AD and just give authenticated users read access. now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?
Thanks
0
 
LVL 6

Expert Comment

by:Daryl Bamforth
ID: 37830392
Glad you got it working.  This is one of the type of instances that slow syncing can be a blessing :)

If this happens again and does get synced, you can attempt recovery using directory services restore mode.

With physical access to server, reboot, Press F8 just after POST and use the password you set when you installed AD. (If you cannot remember it you can reset it using an offline NT password reset disk.)

Open up AD users and computers, fix permissions, reboot.
0
 
LVL 13

Expert Comment

by:lauchangkwang
ID: 37830710
>> now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?

Normally the process is "Disable" the user / group first , then after a period of time, then only delete the account / group.

Possible to print screen and post the picture here for the authenticad users group ??
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 13

Assisted Solution

by:lauchangkwang
lauchangkwang earned 1000 total points
ID: 37830727
Just to let you know, before you delete / disable any acc. or group in AD, make sure it is correct then only do it, or else you might be in trouble, base on your question here, it seems like your admin acc. also get restricted from the denied access. Normally if you want to prevent access, it should from the user group (where got a list of users there), not from the authenticated users list.
0
 
LVL 6

Accepted Solution

by:
Daryl Bamforth earned 1000 total points
ID: 37831618
Missed your second one.  

Authenticated Users is a special built in domain security group.  You should not be deleting or disabling this group.

When you say you are trying to prevent access to AD to standard users do you mean you want to prevent them from being able to use a management tool to read the directory?  If this is the case then have a read of this.

http://www.windowsecurity.com/articles/Active-Directory-information-exposed-users.html
(warning, it does ramble a bit :P)

For users to be able to properly authenticate against AD they do need read rights to quite a significant chunk.  You can, however, look at setting some of the attributes as confidential (see http://support.microsoft.com/kb/922836).

I hope that helps, but if I am way off mark can you please elaborate on exactly what you were intending to accomplish by removing the Authenticated Users group.
0
 

Author Comment

by:goodwill1
ID: 37832293
Thanks a lot Unori and  lauchangkwang. Yes Im glad the replication was quick enough. and yhes you are right I need to be sure before I made a big change like that..  and yes what I need to do is prevent users from accesing AD via de admin tool in case anyone have it installed. I appreciated your quick response guys. have a greate day!!
0
 

Author Closing Comment

by:goodwill1
ID: 37832306
great response time.. thanks
0

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question