Lost access to Active Directory Builtin Groups and OUs

We seem to have lost access to the default/builtin groups/users/OUs in Active Directory.  We still have access to the custom OUs we have created below the top level domain but cannot access such things as:

Domain Controllers
Domain Admins group
Enterprise Admins group

The user we are currently logging into the DC with is/was a member of the Domain Admins group and we can access most things.  We noticed this issue when we went to create a new user or reset a password for an existing user and it gave us an Access Denied error.

When we look at the AD object of this logged in user we can see the membership to the Domain Admins group but when we look at another user that was a member, all their memberships are gone.

If we highlight the domain in ADUC, in the right pane we can see the OUs but the ones we are having a problem seeing/accessing in the tree don't have an Icon associated with them.

Any thoughts?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Seams like someone modified the Security ACL and propagated permissions down. Basically you will need to re-apply the permissions from the top level parent domain.com in ADUC and apply to all sub OU's as well.

If you have auditing enabled you should be able to check the security logs to see who made this change.

Unfortunately this is the only option.

ClearBlueTechnologiesAuthor Commented:
How do you for the changes down to lower-level objects?
Will SzymkowskiSenior Solution ArchitectCommented:
You need to make sure that when you are applying the permissions to Domain Admins etc that when you apply the permissions you are also setting the "Replace all child object permissions with the inheritable permissions from this object".

This will then apply permissions to the top level and any other preceding OU's beneath it.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ClearBlueTechnologiesAuthor Commented:
That did it.  Thanks for the help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.