Group Policy change and missing OU's
Posted on 2013-06-07
So I wanted to exclude a user from group policy, and thought the way to do so was create a Global Security group, added the user and myself(for testing). Then in gp.msc added the group under the delegation tab and under Advanced ticked the deny read attribute.
A short time later looking in ADUC I see the 3 OU's containing my users a gone. Searching for a OU yeilds nothing, searching for the user finds the user object, clicking "account" tab message is "no such object on the server" but then normal information appears, even the path under the object tab is correct.
Now I am really upset; called MS and hours later the solution is restore from system state backup. Which I have, but didn't set up the domain, not sure I even have a directory restore password, though I think I might. Is there a way to test if that password will work if I before proceed with a restore solution?
Why did my OU's go away? One of them display's in ADUC but has no data in it and the Type is listed as unknown.
Any other options than a restore? I am thinking we can create the 3 OU's and move the user objects back into them?
It's not a huge forest or anything; one domain running on 2008 Standard with approximately 100 users. File and print is working along with our Exchange 2007 for the time being anyway - obviously this is not a good situation. What other information should be provided?