Solved

how to undo authenticated users denied access on AD

Posted on 2012-04-10
7
555 Views
Last Modified: 2012-04-11
Hi guys,

I was trying to prevent access to AD to standard users and by mistake I gave authenticated ussers denied access to AD, now I cannot access AD with any of my domain or enterprise admins. what can I do to undo that action? Please I need help as soon as possible.. thanks in advance!!
0
Comment
Question by:goodwill1
  • 3
  • 2
  • 2
7 Comments
 

Author Comment

by:goodwill1
ID: 37830221
Hi guys, I got it fixed.. my heart is pumping again!! i was scared already. what I did I disconnect the PDC from the network that was the server I did the change. when I go to my secondary server the changed was not sync yet so I added authenticated users and gave it full access to AD. then I restarted the PDC DC and login again and did a manual sync and all was back up again. I was able to go to AD and just give authenticated users read access. now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?
Thanks
0
 
LVL 2

Expert Comment

by:un0ri
ID: 37830392
Glad you got it working.  This is one of the type of instances that slow syncing can be a blessing :)

If this happens again and does get synced, you can attempt recovery using directory services restore mode.

With physical access to server, reboot, Press F8 just after POST and use the password you set when you installed AD. (If you cannot remember it you can reset it using an offline NT password reset disk.)

Open up AD users and computers, fix permissions, reboot.
0
 
LVL 13

Expert Comment

by:lauchangkwang
ID: 37830710
>> now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?

Normally the process is "Disable" the user / group first , then after a period of time, then only delete the account / group.

Possible to print screen and post the picture here for the authenticad users group ??
0
 
LVL 13

Assisted Solution

by:lauchangkwang
lauchangkwang earned 250 total points
ID: 37830727
Just to let you know, before you delete / disable any acc. or group in AD, make sure it is correct then only do it, or else you might be in trouble, base on your question here, it seems like your admin acc. also get restricted from the denied access. Normally if you want to prevent access, it should from the user group (where got a list of users there), not from the authenticated users list.
0
 
LVL 2

Accepted Solution

by:
un0ri earned 250 total points
ID: 37831618
Missed your second one.  

Authenticated Users is a special built in domain security group.  You should not be deleting or disabling this group.

When you say you are trying to prevent access to AD to standard users do you mean you want to prevent them from being able to use a management tool to read the directory?  If this is the case then have a read of this.

http://www.windowsecurity.com/articles/Active-Directory-information-exposed-users.html
(warning, it does ramble a bit :P)

For users to be able to properly authenticate against AD they do need read rights to quite a significant chunk.  You can, however, look at setting some of the attributes as confidential (see http://support.microsoft.com/kb/922836).

I hope that helps, but if I am way off mark can you please elaborate on exactly what you were intending to accomplish by removing the Authenticated Users group.
0
 

Author Comment

by:goodwill1
ID: 37832293
Thanks a lot Unori and  lauchangkwang. Yes Im glad the replication was quick enough. and yhes you are right I need to be sure before I made a big change like that..  and yes what I need to do is prevent users from accesing AD via de admin tool in case anyone have it installed. I appreciated your quick response guys. have a greate day!!
0
 

Author Closing Comment

by:goodwill1
ID: 37832306
great response time.. thanks
0

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now