Solved

Group Policy change and missing OU's

Posted on 2013-06-07
14
356 Views
Last Modified: 2013-06-11
So I wanted to exclude a user from group policy, and thought the way to do so was create a Global Security group, added the user and myself(for testing). Then in gp.msc added the group under the delegation tab and under Advanced ticked the deny read attribute.

A short time later looking in ADUC I see the 3 OU's containing my users a gone. Searching for a OU yeilds nothing, searching for the user finds the user object, clicking "account" tab message is "no such object on the server" but then normal information appears, even the path under the object tab is correct.

Now I am really upset; called MS and hours later the solution is restore from system state backup. Which I have, but didn't set up the domain, not sure I even have a directory restore password, though I think I might. Is there a way to test if that password will work if I before proceed with a restore solution?

Why did my OU's go away? One of them display's in ADUC but has no data in it and the Type is listed as unknown.

Any other options than a restore? I am thinking we can create the 3 OU's and move the user objects back into them?

It's not a huge forest or anything; one domain running on 2008 Standard with approximately 100 users. File and print is working along with our Exchange 2007 for the time being anyway - obviously this is not a good situation. What other information should be provided?
0
Comment
Question by:tcinfo
  • 7
  • 5
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230018
Can you try logging in using a different account and try logging into a different DC/ADUC.   Just want to try and isolate the issue.  

Where did you add the user?  Were you doing that individual GPOs or do you think you might have denied read to the OU (almost what it sounds like).   That is why I'd like to test using a different account.

Thanks

Mike
0
 

Author Comment

by:tcinfo
ID: 39230094
Thanks for quick response,  I have one other DC in the domain, (it's virtual btw)  and at a different physical location. There's only one domain but yes I can login as a different user.
 
As a test I created a new OU and moved myself and the initial user into it, I logged in from a different and new workstation (which I just happened to have joined to the domain today) and my roaming profile loaded okay. Drive mappings etc are okay.

Now I have on workstation I remote desktop to our DC and login as myself, been sitting a "please wait for user profile service" for about 10 minutes now.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230184
When you logged in as the different admin user are all the object still missing?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230187
What if you look at AD using ADAC, ADSI edit or LDP...are the objects still missing?

Thanks

Mike
0
 

Author Comment

by:tcinfo
ID: 39230242
Yes to both questions, logged on to the DC as myself (instead of the administrator account) and same issues in AD, anyway. The properties on the OU that is (somewhat) displayed read:

The Active Directory Domain Services object could not be displayed.

Unable to view attribute or value. You may not have permissions to view the object.

Which is the same as with the administrator account.
0
 

Author Comment

by:tcinfo
ID: 39230264
They are not displayed in Adsi or ldp either, in fact even the Security Group I created was missing but the MS tech recovered that one using adsi (or ldp) not sure now.
Thank YOU.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230280
He should be able to do that with the OUs too...are you all trying that first?  I'm guessing he is modifying the ACLs


Thanks

Mike
0
 

Author Comment

by:tcinfo
ID: 39230299
He couldn't see the ou's in those utilities - they are just gone apparently. Hence is restore solution.

I am thinking the best route is just recreating the ou's and moving the user objects into them. When I did mine it seemed okay. I could navigate all the tabs in ADUC and user login was okay.

btw: if I must restore it would be from Backup Exec 10, system state and sure don't want to jump into that and possibly make things worse. Thanks.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 39230314
If moving them works that should be fine, you would need to link the GPOs to the OUs (if you had them linked at these OUs)

Thanks

Mike
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39230946
You found out the hard way that a 'DENY' overrides everything.. You should always have 2 administrative accounts.  And never use yourself as a test object. create a test user and then use them instead..

Since you can login as a different administrator can you remove your other account from that OU or disable that group policy and try again.
0
 

Author Comment

by:tcinfo
ID: 39233169
I could remove my self sure, but the OU is gone, I still don't understand why it went away.
I denied my self read right to gp, how does that remove a ou in ADUC?
0
 

Author Comment

by:tcinfo
ID: 39233172
Inheritance caused it to be removed?
0
 

Author Closing Comment

by:tcinfo
ID: 39239236
Still up and running, recreated missing OU's and moved users back to them, still have one of the original OU's listed as unkown in ADUC.

Waiting for MS to contact me for follow up.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question