Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 366
  • Last Modified:

Group Policy change and missing OU's

So I wanted to exclude a user from group policy, and thought the way to do so was create a Global Security group, added the user and myself(for testing). Then in gp.msc added the group under the delegation tab and under Advanced ticked the deny read attribute.

A short time later looking in ADUC I see the 3 OU's containing my users a gone. Searching for a OU yeilds nothing, searching for the user finds the user object, clicking "account" tab message is "no such object on the server" but then normal information appears, even the path under the object tab is correct.

Now I am really upset; called MS and hours later the solution is restore from system state backup. Which I have, but didn't set up the domain, not sure I even have a directory restore password, though I think I might. Is there a way to test if that password will work if I before proceed with a restore solution?

Why did my OU's go away? One of them display's in ADUC but has no data in it and the Type is listed as unknown.

Any other options than a restore? I am thinking we can create the 3 OU's and move the user objects back into them?

It's not a huge forest or anything; one domain running on 2008 Standard with approximately 100 users. File and print is working along with our Exchange 2007 for the time being anyway - obviously this is not a good situation. What other information should be provided?
0
tcinfo
Asked:
tcinfo
  • 7
  • 5
1 Solution
 
Mike KlineCommented:
Can you try logging in using a different account and try logging into a different DC/ADUC.   Just want to try and isolate the issue.  

Where did you add the user?  Were you doing that individual GPOs or do you think you might have denied read to the OU (almost what it sounds like).   That is why I'd like to test using a different account.

Thanks

Mike
0
 
tcinfoAuthor Commented:
Thanks for quick response,  I have one other DC in the domain, (it's virtual btw)  and at a different physical location. There's only one domain but yes I can login as a different user.
 
As a test I created a new OU and moved myself and the initial user into it, I logged in from a different and new workstation (which I just happened to have joined to the domain today) and my roaming profile loaded okay. Drive mappings etc are okay.

Now I have on workstation I remote desktop to our DC and login as myself, been sitting a "please wait for user profile service" for about 10 minutes now.
0
 
Mike KlineCommented:
When you logged in as the different admin user are all the object still missing?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Mike KlineCommented:
What if you look at AD using ADAC, ADSI edit or LDP...are the objects still missing?

Thanks

Mike
0
 
tcinfoAuthor Commented:
Yes to both questions, logged on to the DC as myself (instead of the administrator account) and same issues in AD, anyway. The properties on the OU that is (somewhat) displayed read:

The Active Directory Domain Services object could not be displayed.

Unable to view attribute or value. You may not have permissions to view the object.

Which is the same as with the administrator account.
0
 
tcinfoAuthor Commented:
They are not displayed in Adsi or ldp either, in fact even the Security Group I created was missing but the MS tech recovered that one using adsi (or ldp) not sure now.
Thank YOU.
0
 
Mike KlineCommented:
He should be able to do that with the OUs too...are you all trying that first?  I'm guessing he is modifying the ACLs


Thanks

Mike
0
 
tcinfoAuthor Commented:
He couldn't see the ou's in those utilities - they are just gone apparently. Hence is restore solution.

I am thinking the best route is just recreating the ou's and moving the user objects into them. When I did mine it seemed okay. I could navigate all the tabs in ADUC and user login was okay.

btw: if I must restore it would be from Backup Exec 10, system state and sure don't want to jump into that and possibly make things worse. Thanks.
0
 
Mike KlineCommented:
If moving them works that should be fine, you would need to link the GPOs to the OUs (if you had them linked at these OUs)

Thanks

Mike
0
 
David Johnson, CD, MVPOwnerCommented:
You found out the hard way that a 'DENY' overrides everything.. You should always have 2 administrative accounts.  And never use yourself as a test object. create a test user and then use them instead..

Since you can login as a different administrator can you remove your other account from that OU or disable that group policy and try again.
0
 
tcinfoAuthor Commented:
I could remove my self sure, but the OU is gone, I still don't understand why it went away.
I denied my self read right to gp, how does that remove a ou in ADUC?
0
 
tcinfoAuthor Commented:
Inheritance caused it to be removed?
0
 
tcinfoAuthor Commented:
Still up and running, recreated missing OU's and moved users back to them, still have one of the original OU's listed as unkown in ADUC.

Waiting for MS to contact me for follow up.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now