?
Solved

AD - Restricted Group GPO Applied and lost domain admin rights. MAX POINTS Will be awarded

Posted on 2012-09-02
24
Medium Priority
?
1,413 Views
Last Modified: 2012-09-06
I have a SBS 2011 Server with 2008R2 and a mixed enviroment of Windows 7 and XP.  

I have a second Server 2008R2 member server that I have been trying to get the Microsoft Assessment and Planning Tool (MAP) working - this is what caused me my  problem!

I was trying to create a domain admin account that had local admin rights to all PCs on the domain and I didnt want to use my domain admin account.  So I created a security group and added a user account that has domain admin rights.

I then created a GPO and linked it to the SBS Computers OU.  In the GPO I created a Resticted Group rule added the security group and then added the "Administrators" to the Group Members (bottom half of window) and saved the GPO.

I tested this new setting on a XP pc and quickly realized that my domain admin account that I remoted in with no longer had domain rights on that PC. PLease see attched screen shots.

I deleted the Restricted Group rule and gpupdate /force on the DC.

I went back to the same PC and found that I still do not have domain Admin rights. I even updated the policy on that PC but it didnt matter.

I waited 24 hours and further investigation I found I have 7 XP boxes that are in the same boat.

Please advice how I can fix the 7 Windows XP PCs.

Your assistance is greatly appreciated
rsop-error.JPG
rsop-error-2.JPG
0
Comment
Question by:SouthernGen
  • 12
  • 6
  • 3
  • +3
24 Comments
 

Author Comment

by:SouthernGen
ID: 38359674
I have added a third snap shot showing both Domain admins and my new security group added by resticted Group GPO.  

Even after I deleted the Restricted Group GPO, the group is still listed as a member of the local admin group.
Admin-group.JPG
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38359840
The restricted group policy will remove existing admins, including domain admins from the PC's.  You need to re-enable your restricted group policy and add the domain admin account.

Restricted groups is a powerful tool but you have to be careful when applying it is possible to apply to the domain a completely lock yourself out.  Fortunately you nly applied to the computers OU.

When running gpupdate /force, you need to do so on the PC not the server, or wait 90+ minutes.
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38359860
How did you come to the conclusion that you don't have domain admin rights on the PCs? Just because you were denied access to RSOP? Try running gpupdate /force. Does it run successfully?

If yes, then after restarting the PC, log in with your domain admin account and do the following:

-> open CMD and run the following series of commands to re-register userenv DLL
-> cd %systemroot%\system32
-> regsvr32 /n /I userenv.dll
-> cd wbem
-> mofcomp scersop.mof
-> mofcomp rsop.mof
-> mofcomp rsop.mfl

Restart the winmgmt service
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:SouthernGen
ID: 38359894
When I try to run gpupdate /force on the workstation, it does not refresh.  I have tried other commands like gpresult, etc and get access denied.  I have rebooted the PC and no change.

I have created a test user with domain admin rights and still can not get the PC to to update the policy.

Should I consider loading the default template?? Secpol???
0
 
LVL 25

Expert Comment

by:Nagendra Pratap Singh
ID: 38359905
gpupdate /force is to be used on desktops.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38359952
I would agree with Rob. Restricted Groups GPO is targeted into Computers OU, so during server reboot, GPO (if was changed) will be re-applied. Restricted Groups is a part of Computer Configuration node not a User. That means, policies are applied during computer/server startup process then user policies are started. To fix that, follow Rob's suggestion to repair your environment.

1) Open GPMC
2) Create new group policy (leave default "Authenticated Users" filter)
3) Set up new Restricted Groups (you may reuse the same group name)
4) Put all required users into that group
5) Restart server

check if it helped (should solve your issue)

Regards,
Krzysztof
0
 

Author Comment

by:SouthernGen
ID: 38359969
First off thanks to everyone for your input.  I have created a TEST OU and moved one PC to that OU.  

I have created a TEST GPO and created the same Restricted Groups GPO but this time added Domain Admins.  I have attached the screenshot.

Please advise if this is correct??


Thanks Again
TEST.JPG
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38359976
Yes, this policy is correct. But do not change GPO filtering, leave its defaults (Authenticated Users) and you may reboot that machine from TEST OU to get it applied

Krzysztof
0
 

Author Comment

by:SouthernGen
ID: 38359990
I other idea is to dis join the pC from the domain, re-boot then jion it back to the domain using the connectcomputer process hoping that it over rights the exisiting policies??

I have rebooted the server and will check on the TEST PC shortly

Again thank you for your input and advice
0
 

Author Comment

by:SouthernGen
ID: 38359995
I am also considering to try to create a GPP??   Thoughts??
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38359996
Yes it is also some workaround but it requires much more administrative effort :)
GPO with Restricted Groups is really good option but as Rob has written, you need to be careful ;)

Let's try to login using domain administrator account into PC from TEST OU and tell us please what happened there

Krzysztof
0
 

Author Comment

by:SouthernGen
ID: 38360006
Waiting for the server to return online.  Ya I have gone down the school of hard knocks on this one.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1000 total points
ID: 38360011
If it's an option, yes. GPP is much more convenient in use that old fashioned Restricted Groups. You may follow this really good tutorial about securing "local administrators" group over GPP
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

However, if you wish to use on Windows XP/2003 computers, you need to install Client Side Extension (CSE) first to be able to apply GPP

for XP it can be downloaded from
http://www.microsoft.com/en-us/download/details.aspx?id=3628

for 2003 it can be obtained from
http://www.microsoft.com/en-us/download/details.aspx?id=6955

or push this update over WSUS

Krzysztof
0
 

Author Comment

by:SouthernGen
ID: 38360016
Well the results are in and sadly enough I am still not about to run domain admin commands like rsop or gpupdate /force etc.

Not sure what to try next??
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38360020
Please run on that PC in command line

gpresult /z >"c:\users\YourProfile\Desktop\gpresult.log"

and attach this file for analyze here, please

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38360022
Please ensure also if that previous GPO in not enforced. I would also disable GPO link for the old policy at this moment to be sure that it is not enforced.

Krzysztof
0
 

Author Comment

by:SouthernGen
ID: 38360026
I will try this but I have been gettting access denied when trying to run gpresult
0
 

Author Comment

by:SouthernGen
ID: 38360035
I got a return of :

Error: Login Failure: Unknown username or bad password
0
 

Author Comment

by:SouthernGen
ID: 38360041
Well Im calling it a night.  I will try later this morning and keep everyone posted.

Again I really appreciate everyone's assistance

Jon
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38360075
@SouthernGen,

just follow the steps I have posted earlier and you will find your rsop issue, voila, evaporated.

You will lose nothing by the way if you follow them (on every desktop you have the issue).
0
 

Author Comment

by:SouthernGen
ID: 38361003
@Mutawadi

I tried your suggestion and recieved error.  I hav eattached the error.
Dll-INstall-in-userenv-failed.JPG
0
 
LVL 3

Expert Comment

by:violageek
ID: 38361280
What I would do is create that restricted group Administrators again and add Domain Admins,   local Administrator and any other user you have created to on the machine locally to be used as an administrator (in case of windows 7) as members of that restricted group. Apply the policy to your workstations OU again.  It will take the machine about 2 restarts to apply the policy or you can just do a simple gpupdate without any switches to grab the policy. Remember that group memberships are recognized when the user logs off and logs back in.

Hope this helps.
0
 
LVL 23

Assisted Solution

by:Ayman Bakr
Ayman Bakr earned 1000 total points
ID: 38361645
0
 

Author Comment

by:SouthernGen
ID: 38374120
I want to thank everyone for thier input.  Turns out that removing the PC from the domain corrected the problem.  I have awarded points based on input and thier solution did assist with resolving this issue.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question