how to undo authenticated users denied access on AD

Hi guys,

I was trying to prevent access to AD to standard users and by mistake I gave authenticated ussers denied access to AD, now I cannot access AD with any of my domain or enterprise admins. what can I do to undo that action? Please I need help as soon as possible.. thanks in advance!!
goodwill1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

goodwill1Author Commented:
Hi guys, I got it fixed.. my heart is pumping again!! i was scared already. what I did I disconnect the PDC from the network that was the server I did the change. when I go to my secondary server the changed was not sync yet so I added authenticated users and gave it full access to AD. then I restarted the PDC DC and login again and did a manual sync and all was back up again. I was able to go to AD and just give authenticated users read access. now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?
Thanks
0
Daryl BamforthTechnical ExpertCommented:
Glad you got it working.  This is one of the type of instances that slow syncing can be a blessing :)

If this happens again and does get synced, you can attempt recovery using directory services restore mode.

With physical access to server, reboot, Press F8 just after POST and use the password you set when you installed AD. (If you cannot remember it you can reset it using an offline NT password reset disk.)

Open up AD users and computers, fix permissions, reboot.
0
lauchangkwangCommented:
>> now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?

Normally the process is "Disable" the user / group first , then after a period of time, then only delete the account / group.

Possible to print screen and post the picture here for the authenticad users group ??
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

lauchangkwangCommented:
Just to let you know, before you delete / disable any acc. or group in AD, make sure it is correct then only do it, or else you might be in trouble, base on your question here, it seems like your admin acc. also get restricted from the denied access. Normally if you want to prevent access, it should from the user group (where got a list of users there), not from the authenticated users list.
0
Daryl BamforthTechnical ExpertCommented:
Missed your second one.  

Authenticated Users is a special built in domain security group.  You should not be deleting or disabling this group.

When you say you are trying to prevent access to AD to standard users do you mean you want to prevent them from being able to use a management tool to read the directory?  If this is the case then have a read of this.

http://www.windowsecurity.com/articles/Active-Directory-information-exposed-users.html
(warning, it does ramble a bit :P)

For users to be able to properly authenticate against AD they do need read rights to quite a significant chunk.  You can, however, look at setting some of the attributes as confidential (see http://support.microsoft.com/kb/922836).

I hope that helps, but if I am way off mark can you please elaborate on exactly what you were intending to accomplish by removing the Authenticated Users group.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
goodwill1Author Commented:
Thanks a lot Unori and  lauchangkwang. Yes Im glad the replication was quick enough. and yhes you are right I need to be sure before I made a big change like that..  and yes what I need to do is prevent users from accesing AD via de admin tool in case anyone have it installed. I appreciated your quick response guys. have a greate day!!
0
goodwill1Author Commented:
great response time.. thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.