Solved

AD restricted groups issue

Posted on 2013-12-15
13
318 Views
Last Modified: 2013-12-20
Very strange issue.  We use restricted groups to apply several domain users and groups as local administrators to domain laptops.  This has been working fine since day 1, and is still working fine for all machines except my laptop.

Following some windows updates on my Win7 laptop the other day, I logged in and now have no permissions to my own C:\ .  Strangely though, if I log out then log in as the domain administrator then the restrict groups settings are applied fine.

I've messed about trying with GPUPDATE /FORCE and GPRESULT and the GPO (default domain policy) is being applied under my user account. The default domain policy is our only GPO. But even though it says the user and computer policies are being applied, I'm still stuck with no access to C:\ (no permissions).

I tried a system restore to a few weeks ago when things were working fine, but this had no effect.  

Tbh I'm stuck now. I don't understand why this seems limited to my user account only.  Out of interest I've just tried logging into a Win8 machine with my user account, when I do I get the correct permissions (local admin).

Any help would be much appreciated.

Cheers, Andy
0
Comment
Question by:andrewprouse
  • 6
  • 6
13 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39720232
If this is strictly affecting your own account and you have logged into other machines and it works fine, have you tried creating a new Windows Profile on the laptop that you normally use?

Does the event logs show anything related to this?

Will.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 39720235
Hey Andy,

This sounds to me like something happened unrelated to restricted groups to your particular machine and user account.
When you say you don't have access to your C: drive, what does that mean?

What are the NTFS permissions on the root of your C:\ drive as it is now?

Also, I'm a bit confused as in the second paragraph you said that the restricted groups apply fine when logged in with the domain admin, and in the 3rd paragraph you state that the computer and user policies are applied when you login with your user account (are you referring to GPOs minus the restricted groups?

Is it possible for you to try to login with a different account other than yours that would have some sort of restricted groups applied? when you do, do a gpresult /R , and a rsop.msc to see what is applied. Does it work then?

Since you said that your account works fine on Windows 8, I think the focus should be shifted to looking at the perms on your particular machine. I'm not convinced that the restricted groups are what's broken.
0
 

Author Comment

by:andrewprouse
ID: 39720369
Hi guys, just to answer you questions and clarify a few things.

1) it's a little difficult to access the eventvwr as I don't have permission to. But if I log in as me, then log in as domain admin to view the eventvwr it shows x2 errors when I logged in (this is following a cold boot):
  -  NETLOGON 5719 - there are currently no logon servers available to service the login request
  -  GROUP POLICY 1055 - processing of group policy failed. Possibly due to name resolution on the current domain controller

However, if I repeate the log on log off process, there are now no errors in the event log (other than 'cannot access C:\ errors' when I log on).

2) I haven't tried re-creating the windows profile, was hoping to avoid that.

3) no access to c:\ - I mean literally that. If I open COMPUTER and try to double click C drive it says 'you do not have permission to access this resource'.

4) running gpresult /r as both myself and domain admin are very similar results apart from my account only seems to apply USER SETTINGS whereas the domain admin applies both USER and COMPUTER SETTINGS.

Strange though, if I run GPUPDATE when logged in as me, it says that it has applied both policies (user and computer) successfully (but I still can't get to C:\).

5) I can't access RSOP.MSC when logged in as me (no access to C:\)
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 39720543
can you show the results of:
cacls c:\
and
net localgroup administrators  

still not convinced it's an issue with group policy, but something that happened to your machine.
0
 

Author Comment

by:andrewprouse
ID: 39720991
As Domain Admin:



cacls c:\

c:\ CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F
    xxx\Domain Users:(OI)(CI)F



net localgroup administrators

Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
xxx\Administrator
xxx\andy rouse
xxx\Domain Admins
xxx\xxxUsers
NT AUTHORITY\Authenticated Users
The command completed successfully.




As me:

cacls c:\
c:\
Access is denied.




net localgroup administrators

Alias name     administrators
Comment        Administrators have complete and unrestricted access to the compu
ter/domain

Members

-------------------------------------------------------------------------------
Administrator
xxx\Administrator
xxx\Andy Rouse
xxx\Domain Admins
xxx\xxxUsers
NT AUTHORITY\Authenticated Users
The command completed successfully.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 39721744
I'm assuming the xxx\Andy Rouse is your domain account.

Ok ... well, I'm afraid the next steps are going to have involving the creation of a new account to test with. I'm convinced that it is something with your own account on that machine.

Can you try to add another domain user as local admin on the machine, and login with that user? This way, it will create a brand new profile. From that profile, are you able to access files on C:\Users\Andy Rouse?  

If that works, try, from an working admin account, renaming the C:\Users\Andy Rouse\ to C:\Andy Rouse.Original and login again with xxx\Andy Rouse.  This should force it to create the profile again. If that works, then it's a simple matter of copying your data from the old profile to the new one.

I'll admit, that's an interesting problem though. I wonder what caused it to happen.
You don't happen to have any malware that's attacking your profile... have you done the usual scans? and a check disk with fix errors?
0
 

Author Comment

by:andrewprouse
ID: 39721800
I agree that it seems to be something with my user account and this laptop, I've now ruled out server issues (for the moment).  I've done all usual AV and MalWare scans and nothing out of the ordinary has turned up.

There are some strange things happening with my laptop though.  I left it turned on last night running an in-depth AV scan, this morning it was still turned on but wouldn't respond to mouse or kepboard.  Also, this morning I've been able to write to and from the inbuilt SD card, this afternoon I can't, it keeps throwing up scandisk errors.  I think I'm going to bite the bullet and put in a new HDD (start from scratch).

I reckon I may have caught some kind of virus, although nothing seems to be picking it up.  

I've just tried logging into my laptop with a user account that belongs to xxx\xxxUsers.  I haven't logged into this laptop with that user account before so it created a new profile.  Strangely, that user account has the same issue as me (no access to C:), so I've just double checked another machine and that user logs in fine.  So, other than the domain admin account, other 'normal' accounts when logging into my laptop experience the same problem.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 39721808
Andy,
It does sound like either your hard drive or your OS may have been shot due to either malware / virus, or simple hardware failure of some sort.

One last thing before rebuilding (who knows, it may be your saving grace)... perhaps try to do a repair install on the OS before blowing everything? If it is an OS level permissions issue, a repair install may very well fix it.
0
 

Author Comment

by:andrewprouse
ID: 39721821
If we think the OS needs a repair, then I'd probably prefer to start from scratch.  The laptop and HDD are probably around 3yrs old and I use the machine on average 8hrs every day.  If things are starting to play up, I'd rather fix it properly and change the HDD to hopefully stop this happening again in the near future.

I'm just downloading another Malware scanning tool, if I have no luck with that then I'll probably start the re-build tomorrow afternoon if you've got no other ideas.

Cheers, Andy
0
 

Author Comment

by:andrewprouse
ID: 39721850
Ok so here's a strange one. I had a UAC message pop up asking me to allow a certain program access to my my c: (Java I think). This is strange because one of the first things I do with any laptop I build for myself is to disable UAC. So I checked, and yes it was turned on. So I turned it off, restarted and hey presto, access to my C: is restored.

I wouldn't say things are great though, there are a load of missing icons on my desktop (windows default icon for unknown program / file). I'm just letting MBAM do it's thing, I'll post back.

Cheers, Andy
0
 
LVL 10

Accepted Solution

by:
George Khairallah earned 500 total points
ID: 39721912
Well, I guess that's good news, however, that is completely abnormal behavior from UAC, so as you said, I wouldn't consider things resolved.

If you prefer to rebuild, (that's probably what I would consider doing at this point) ...  but since you were going to rebuild anyway, then I guess it doesn't hurt to try a repair install. this sound like a case where a Repair Install may actually be useful.
0
 

Author Closing Comment

by:andrewprouse
ID: 39731346
Went for a full rebuild.  A repair may have worked but as my HDD was 3yrs old I purchased a new HDD and rebuild from scratch.  I didn't have time to do a repair then a full rebuild so opted for the latter.

Thanks for you help.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 39731977
Sorry it came down to a full rebuild. I know that can be a pain, since you have to redo all your customization, but in the case of possible hard drive failure, I guess it's better safe than sorry :)
Glad things are working for you again !
Cheers, and thanks for the points!
0

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now