andrewprouse
asked on
AD restricted groups issue
Very strange issue. We use restricted groups to apply several domain users and groups as local administrators to domain laptops. This has been working fine since day 1, and is still working fine for all machines except my laptop.
Following some windows updates on my Win7 laptop the other day, I logged in and now have no permissions to my own C:\ . Strangely though, if I log out then log in as the domain administrator then the restrict groups settings are applied fine.
I've messed about trying with GPUPDATE /FORCE and GPRESULT and the GPO (default domain policy) is being applied under my user account. The default domain policy is our only GPO. But even though it says the user and computer policies are being applied, I'm still stuck with no access to C:\ (no permissions).
I tried a system restore to a few weeks ago when things were working fine, but this had no effect.
Tbh I'm stuck now. I don't understand why this seems limited to my user account only. Out of interest I've just tried logging into a Win8 machine with my user account, when I do I get the correct permissions (local admin).
Any help would be much appreciated.
Cheers, Andy
Following some windows updates on my Win7 laptop the other day, I logged in and now have no permissions to my own C:\ . Strangely though, if I log out then log in as the domain administrator then the restrict groups settings are applied fine.
I've messed about trying with GPUPDATE /FORCE and GPRESULT and the GPO (default domain policy) is being applied under my user account. The default domain policy is our only GPO. But even though it says the user and computer policies are being applied, I'm still stuck with no access to C:\ (no permissions).
I tried a system restore to a few weeks ago when things were working fine, but this had no effect.
Tbh I'm stuck now. I don't understand why this seems limited to my user account only. Out of interest I've just tried logging into a Win8 machine with my user account, when I do I get the correct permissions (local admin).
Any help would be much appreciated.
Cheers, Andy
Hey Andy,
This sounds to me like something happened unrelated to restricted groups to your particular machine and user account.
When you say you don't have access to your C: drive, what does that mean?
What are the NTFS permissions on the root of your C:\ drive as it is now?
Also, I'm a bit confused as in the second paragraph you said that the restricted groups apply fine when logged in with the domain admin, and in the 3rd paragraph you state that the computer and user policies are applied when you login with your user account (are you referring to GPOs minus the restricted groups?
Is it possible for you to try to login with a different account other than yours that would have some sort of restricted groups applied? when you do, do a gpresult /R , and a rsop.msc to see what is applied. Does it work then?
Since you said that your account works fine on Windows 8, I think the focus should be shifted to looking at the perms on your particular machine. I'm not convinced that the restricted groups are what's broken.
This sounds to me like something happened unrelated to restricted groups to your particular machine and user account.
When you say you don't have access to your C: drive, what does that mean?
What are the NTFS permissions on the root of your C:\ drive as it is now?
Also, I'm a bit confused as in the second paragraph you said that the restricted groups apply fine when logged in with the domain admin, and in the 3rd paragraph you state that the computer and user policies are applied when you login with your user account (are you referring to GPOs minus the restricted groups?
Is it possible for you to try to login with a different account other than yours that would have some sort of restricted groups applied? when you do, do a gpresult /R , and a rsop.msc to see what is applied. Does it work then?
Since you said that your account works fine on Windows 8, I think the focus should be shifted to looking at the perms on your particular machine. I'm not convinced that the restricted groups are what's broken.
ASKER
Hi guys, just to answer you questions and clarify a few things.
1) it's a little difficult to access the eventvwr as I don't have permission to. But if I log in as me, then log in as domain admin to view the eventvwr it shows x2 errors when I logged in (this is following a cold boot):
- NETLOGON 5719 - there are currently no logon servers available to service the login request
- GROUP POLICY 1055 - processing of group policy failed. Possibly due to name resolution on the current domain controller
However, if I repeate the log on log off process, there are now no errors in the event log (other than 'cannot access C:\ errors' when I log on).
2) I haven't tried re-creating the windows profile, was hoping to avoid that.
3) no access to c:\ - I mean literally that. If I open COMPUTER and try to double click C drive it says 'you do not have permission to access this resource'.
4) running gpresult /r as both myself and domain admin are very similar results apart from my account only seems to apply USER SETTINGS whereas the domain admin applies both USER and COMPUTER SETTINGS.
Strange though, if I run GPUPDATE when logged in as me, it says that it has applied both policies (user and computer) successfully (but I still can't get to C:\).
5) I can't access RSOP.MSC when logged in as me (no access to C:\)
1) it's a little difficult to access the eventvwr as I don't have permission to. But if I log in as me, then log in as domain admin to view the eventvwr it shows x2 errors when I logged in (this is following a cold boot):
- NETLOGON 5719 - there are currently no logon servers available to service the login request
- GROUP POLICY 1055 - processing of group policy failed. Possibly due to name resolution on the current domain controller
However, if I repeate the log on log off process, there are now no errors in the event log (other than 'cannot access C:\ errors' when I log on).
2) I haven't tried re-creating the windows profile, was hoping to avoid that.
3) no access to c:\ - I mean literally that. If I open COMPUTER and try to double click C drive it says 'you do not have permission to access this resource'.
4) running gpresult /r as both myself and domain admin are very similar results apart from my account only seems to apply USER SETTINGS whereas the domain admin applies both USER and COMPUTER SETTINGS.
Strange though, if I run GPUPDATE when logged in as me, it says that it has applied both policies (user and computer) successfully (but I still can't get to C:\).
5) I can't access RSOP.MSC when logged in as me (no access to C:\)
can you show the results of:
cacls c:\
and
net localgroup administrators
still not convinced it's an issue with group policy, but something that happened to your machine.
cacls c:\
and
net localgroup administrators
still not convinced it's an issue with group policy, but something that happened to your machine.
ASKER
As Domain Admin:
cacls c:\
c:\ CREATOR OWNER:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI
xxx\Domain Users:(OI)(CI)F
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
--------------------------
Administrator
xxx\Administrator
xxx\andy rouse
xxx\Domain Admins
xxx\xxxUsers
NT AUTHORITY\Authenticated Users
The command completed successfully.
As me:
cacls c:\
c:\
Access is denied.
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the compu
ter/domain
Members
--------------------------
Administrator
xxx\Administrator
xxx\Andy Rouse
xxx\Domain Admins
xxx\xxxUsers
NT AUTHORITY\Authenticated Users
The command completed successfully.
cacls c:\
c:\ CREATOR OWNER:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI
xxx\Domain Users:(OI)(CI)F
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
--------------------------
Administrator
xxx\Administrator
xxx\andy rouse
xxx\Domain Admins
xxx\xxxUsers
NT AUTHORITY\Authenticated Users
The command completed successfully.
As me:
cacls c:\
c:\
Access is denied.
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the compu
ter/domain
Members
--------------------------
Administrator
xxx\Administrator
xxx\Andy Rouse
xxx\Domain Admins
xxx\xxxUsers
NT AUTHORITY\Authenticated Users
The command completed successfully.
I'm assuming the xxx\Andy Rouse is your domain account.
Ok ... well, I'm afraid the next steps are going to have involving the creation of a new account to test with. I'm convinced that it is something with your own account on that machine.
Can you try to add another domain user as local admin on the machine, and login with that user? This way, it will create a brand new profile. From that profile, are you able to access files on C:\Users\Andy Rouse?
If that works, try, from an working admin account, renaming the C:\Users\Andy Rouse\ to C:\Andy Rouse.Original and login again with xxx\Andy Rouse. This should force it to create the profile again. If that works, then it's a simple matter of copying your data from the old profile to the new one.
I'll admit, that's an interesting problem though. I wonder what caused it to happen.
You don't happen to have any malware that's attacking your profile... have you done the usual scans? and a check disk with fix errors?
Ok ... well, I'm afraid the next steps are going to have involving the creation of a new account to test with. I'm convinced that it is something with your own account on that machine.
Can you try to add another domain user as local admin on the machine, and login with that user? This way, it will create a brand new profile. From that profile, are you able to access files on C:\Users\Andy Rouse?
If that works, try, from an working admin account, renaming the C:\Users\Andy Rouse\ to C:\Andy Rouse.Original and login again with xxx\Andy Rouse. This should force it to create the profile again. If that works, then it's a simple matter of copying your data from the old profile to the new one.
I'll admit, that's an interesting problem though. I wonder what caused it to happen.
You don't happen to have any malware that's attacking your profile... have you done the usual scans? and a check disk with fix errors?
ASKER
I agree that it seems to be something with my user account and this laptop, I've now ruled out server issues (for the moment). I've done all usual AV and MalWare scans and nothing out of the ordinary has turned up.
There are some strange things happening with my laptop though. I left it turned on last night running an in-depth AV scan, this morning it was still turned on but wouldn't respond to mouse or kepboard. Also, this morning I've been able to write to and from the inbuilt SD card, this afternoon I can't, it keeps throwing up scandisk errors. I think I'm going to bite the bullet and put in a new HDD (start from scratch).
I reckon I may have caught some kind of virus, although nothing seems to be picking it up.
I've just tried logging into my laptop with a user account that belongs to xxx\xxxUsers. I haven't logged into this laptop with that user account before so it created a new profile. Strangely, that user account has the same issue as me (no access to C:), so I've just double checked another machine and that user logs in fine. So, other than the domain admin account, other 'normal' accounts when logging into my laptop experience the same problem.
There are some strange things happening with my laptop though. I left it turned on last night running an in-depth AV scan, this morning it was still turned on but wouldn't respond to mouse or kepboard. Also, this morning I've been able to write to and from the inbuilt SD card, this afternoon I can't, it keeps throwing up scandisk errors. I think I'm going to bite the bullet and put in a new HDD (start from scratch).
I reckon I may have caught some kind of virus, although nothing seems to be picking it up.
I've just tried logging into my laptop with a user account that belongs to xxx\xxxUsers. I haven't logged into this laptop with that user account before so it created a new profile. Strangely, that user account has the same issue as me (no access to C:), so I've just double checked another machine and that user logs in fine. So, other than the domain admin account, other 'normal' accounts when logging into my laptop experience the same problem.
Andy,
It does sound like either your hard drive or your OS may have been shot due to either malware / virus, or simple hardware failure of some sort.
One last thing before rebuilding (who knows, it may be your saving grace)... perhaps try to do a repair install on the OS before blowing everything? If it is an OS level permissions issue, a repair install may very well fix it.
It does sound like either your hard drive or your OS may have been shot due to either malware / virus, or simple hardware failure of some sort.
One last thing before rebuilding (who knows, it may be your saving grace)... perhaps try to do a repair install on the OS before blowing everything? If it is an OS level permissions issue, a repair install may very well fix it.
ASKER
If we think the OS needs a repair, then I'd probably prefer to start from scratch. The laptop and HDD are probably around 3yrs old and I use the machine on average 8hrs every day. If things are starting to play up, I'd rather fix it properly and change the HDD to hopefully stop this happening again in the near future.
I'm just downloading another Malware scanning tool, if I have no luck with that then I'll probably start the re-build tomorrow afternoon if you've got no other ideas.
Cheers, Andy
I'm just downloading another Malware scanning tool, if I have no luck with that then I'll probably start the re-build tomorrow afternoon if you've got no other ideas.
Cheers, Andy
ASKER
Ok so here's a strange one. I had a UAC message pop up asking me to allow a certain program access to my my c: (Java I think). This is strange because one of the first things I do with any laptop I build for myself is to disable UAC. So I checked, and yes it was turned on. So I turned it off, restarted and hey presto, access to my C: is restored.
I wouldn't say things are great though, there are a load of missing icons on my desktop (windows default icon for unknown program / file). I'm just letting MBAM do it's thing, I'll post back.
Cheers, Andy
I wouldn't say things are great though, there are a load of missing icons on my desktop (windows default icon for unknown program / file). I'm just letting MBAM do it's thing, I'll post back.
Cheers, Andy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Went for a full rebuild. A repair may have worked but as my HDD was 3yrs old I purchased a new HDD and rebuild from scratch. I didn't have time to do a repair then a full rebuild so opted for the latter.
Thanks for you help.
Thanks for you help.
Sorry it came down to a full rebuild. I know that can be a pain, since you have to redo all your customization, but in the case of possible hard drive failure, I guess it's better safe than sorry :)
Glad things are working for you again !
Cheers, and thanks for the points!
Glad things are working for you again !
Cheers, and thanks for the points!
Does the event logs show anything related to this?
Will.