[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

how to undo authenticated users denied access on AD

Posted on 2012-04-10
7
Medium Priority
?
564 Views
Last Modified: 2012-04-11
Hi guys,

I was trying to prevent access to AD to standard users and by mistake I gave authenticated ussers denied access to AD, now I cannot access AD with any of my domain or enterprise admins. what can I do to undo that action? Please I need help as soon as possible.. thanks in advance!!
0
Comment
Question by:goodwill1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 

Author Comment

by:goodwill1
ID: 37830221
Hi guys, I got it fixed.. my heart is pumping again!! i was scared already. what I did I disconnect the PDC from the network that was the server I did the change. when I go to my secondary server the changed was not sync yet so I added authenticated users and gave it full access to AD. then I restarted the PDC DC and login again and did a manual sync and all was back up again. I was able to go to AD and just give authenticated users read access. now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?
Thanks
0
 
LVL 2

Expert Comment

by:un0ri
ID: 37830392
Glad you got it working.  This is one of the type of instances that slow syncing can be a blessing :)

If this happens again and does get synced, you can attempt recovery using directory services restore mode.

With physical access to server, reboot, Press F8 just after POST and use the password you set when you installed AD. (If you cannot remember it you can reset it using an offline NT password reset disk.)

Open up AD users and computers, fix permissions, reboot.
0
 
LVL 13

Expert Comment

by:lauchangkwang
ID: 37830710
>> now my question is if I delete authenticated users from AD access. it will be ok or I will loose connetion to AD as a domain admin since domain admin are also autheticated users?

Normally the process is "Disable" the user / group first , then after a period of time, then only delete the account / group.

Possible to print screen and post the picture here for the authenticad users group ??
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 13

Assisted Solution

by:lauchangkwang
lauchangkwang earned 1000 total points
ID: 37830727
Just to let you know, before you delete / disable any acc. or group in AD, make sure it is correct then only do it, or else you might be in trouble, base on your question here, it seems like your admin acc. also get restricted from the denied access. Normally if you want to prevent access, it should from the user group (where got a list of users there), not from the authenticated users list.
0
 
LVL 2

Accepted Solution

by:
un0ri earned 1000 total points
ID: 37831618
Missed your second one.  

Authenticated Users is a special built in domain security group.  You should not be deleting or disabling this group.

When you say you are trying to prevent access to AD to standard users do you mean you want to prevent them from being able to use a management tool to read the directory?  If this is the case then have a read of this.

http://www.windowsecurity.com/articles/Active-Directory-information-exposed-users.html
(warning, it does ramble a bit :P)

For users to be able to properly authenticate against AD they do need read rights to quite a significant chunk.  You can, however, look at setting some of the attributes as confidential (see http://support.microsoft.com/kb/922836).

I hope that helps, but if I am way off mark can you please elaborate on exactly what you were intending to accomplish by removing the Authenticated Users group.
0
 

Author Comment

by:goodwill1
ID: 37832293
Thanks a lot Unori and  lauchangkwang. Yes Im glad the replication was quick enough. and yhes you are right I need to be sure before I made a big change like that..  and yes what I need to do is prevent users from accesing AD via de admin tool in case anyone have it installed. I appreciated your quick response guys. have a greate day!!
0
 

Author Closing Comment

by:goodwill1
ID: 37832306
great response time.. thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question