Solved

Group Policy change and missing OU's

Posted on 2013-06-07
14
353 Views
Last Modified: 2013-06-11
So I wanted to exclude a user from group policy, and thought the way to do so was create a Global Security group, added the user and myself(for testing). Then in gp.msc added the group under the delegation tab and under Advanced ticked the deny read attribute.

A short time later looking in ADUC I see the 3 OU's containing my users a gone. Searching for a OU yeilds nothing, searching for the user finds the user object, clicking "account" tab message is "no such object on the server" but then normal information appears, even the path under the object tab is correct.

Now I am really upset; called MS and hours later the solution is restore from system state backup. Which I have, but didn't set up the domain, not sure I even have a directory restore password, though I think I might. Is there a way to test if that password will work if I before proceed with a restore solution?

Why did my OU's go away? One of them display's in ADUC but has no data in it and the Type is listed as unknown.

Any other options than a restore? I am thinking we can create the 3 OU's and move the user objects back into them?

It's not a huge forest or anything; one domain running on 2008 Standard with approximately 100 users. File and print is working along with our Exchange 2007 for the time being anyway - obviously this is not a good situation. What other information should be provided?
0
Comment
Question by:tcinfo
  • 7
  • 5
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230018
Can you try logging in using a different account and try logging into a different DC/ADUC.   Just want to try and isolate the issue.  

Where did you add the user?  Were you doing that individual GPOs or do you think you might have denied read to the OU (almost what it sounds like).   That is why I'd like to test using a different account.

Thanks

Mike
0
 

Author Comment

by:tcinfo
ID: 39230094
Thanks for quick response,  I have one other DC in the domain, (it's virtual btw)  and at a different physical location. There's only one domain but yes I can login as a different user.
 
As a test I created a new OU and moved myself and the initial user into it, I logged in from a different and new workstation (which I just happened to have joined to the domain today) and my roaming profile loaded okay. Drive mappings etc are okay.

Now I have on workstation I remote desktop to our DC and login as myself, been sitting a "please wait for user profile service" for about 10 minutes now.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230184
When you logged in as the different admin user are all the object still missing?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230187
What if you look at AD using ADAC, ADSI edit or LDP...are the objects still missing?

Thanks

Mike
0
 

Author Comment

by:tcinfo
ID: 39230242
Yes to both questions, logged on to the DC as myself (instead of the administrator account) and same issues in AD, anyway. The properties on the OU that is (somewhat) displayed read:

The Active Directory Domain Services object could not be displayed.

Unable to view attribute or value. You may not have permissions to view the object.

Which is the same as with the administrator account.
0
 

Author Comment

by:tcinfo
ID: 39230264
They are not displayed in Adsi or ldp either, in fact even the Security Group I created was missing but the MS tech recovered that one using adsi (or ldp) not sure now.
Thank YOU.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39230280
He should be able to do that with the OUs too...are you all trying that first?  I'm guessing he is modifying the ACLs


Thanks

Mike
0
 

Author Comment

by:tcinfo
ID: 39230299
He couldn't see the ou's in those utilities - they are just gone apparently. Hence is restore solution.

I am thinking the best route is just recreating the ou's and moving the user objects into them. When I did mine it seemed okay. I could navigate all the tabs in ADUC and user login was okay.

btw: if I must restore it would be from Backup Exec 10, system state and sure don't want to jump into that and possibly make things worse. Thanks.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 39230314
If moving them works that should be fine, you would need to link the GPOs to the OUs (if you had them linked at these OUs)

Thanks

Mike
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39230946
You found out the hard way that a 'DENY' overrides everything.. You should always have 2 administrative accounts.  And never use yourself as a test object. create a test user and then use them instead..

Since you can login as a different administrator can you remove your other account from that OU or disable that group policy and try again.
0
 

Author Comment

by:tcinfo
ID: 39233169
I could remove my self sure, but the OU is gone, I still don't understand why it went away.
I denied my self read right to gp, how does that remove a ou in ADUC?
0
 

Author Comment

by:tcinfo
ID: 39233172
Inheritance caused it to be removed?
0
 

Author Closing Comment

by:tcinfo
ID: 39239236
Still up and running, recreated missing OU's and moved users back to them, still have one of the original OU's listed as unkown in ADUC.

Waiting for MS to contact me for follow up.
0

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now