file permissions all screwed PLEASE HELP

I am at work and I really screwed up.  major amateur moves.
I found there was a nested group that gave domain users group a member of domain admin group  and i deleted it and reset some permissions now all my roaming profiles and file shares are not working.
I deleted the roaming profile GPO and created new one and on this one computer it wont stop looking for the folder redirect.

i originally used this tutorial to set it up  https://technet.microsoft.com/en-us/library/JJ649079.aspx

also now none of my map drives are working and i used this method long ago https://technet.microsoft.com/en-us/library/Cc770902.aspx

I am stuck here at work trying everything to get this to work but i cant seem to get it.

client PC says can not access the folder \\server\folder\username\  only way it will access the folder is if i enter an admin credential yet that user can access the folder via file explorer without any issues.

how can i remove all traces of this both on the server and client pcs or how can i fix this?

any help would be ideal  thanks!
andrew nycAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Check the share permissions?
Where is the share? If it is on the DC, this is why non-admins are being denied access. You need to alter the default domain controller GPO and allow network access to other groups besides administrators.

Check the security permissions to make sure each share has appropriate rights.

the roaming profile share should have full rights to domain users in the share and in the security settings.  Note the profile when sync up will not inherit the permissions from the parent folder.

On the redirected folders, it depends on whether  it is created through a script when the user account is created, or when the user account is being created using ADUC and the home dir is specified which creates the redirected folder place holder that will be populate on the second user login.

the same applies to the shares. you have to check share and security permissions and establish the correct groups in each to match the needed rights.

This was done for ease/expediency to ............

icacls/xcacls are tools you can use to see the security settings.

you may have to create security groups and add them with appropriate rights into the share and security permissions.
Then add each user into each group based on which resources/share each user needs.
This deals with non profile/redirected folder ... shares.
andrew nycAuthor Commented:
Thanks for help  
I do not have any script It was done with GPO
I have these settings for the redirect folder and subfolders and i can not get access
the user even has full perms to the folder

:EDIT::
after going over everything it seems that theres something stuck on this clients pc.  i removed the GPO and seems that the other pcs are find with the folders they redirected back to the local machine but this one doesnt want to do anything. and still no luck with the mapped drives

Further update::
one user still no access unless as an admin , even checked efective access and she seems to have all green checks.
all other users seem to be working ok


Untitled-1.jpg
arnoldCommented:
who is the owner of that user's folder/files?
To what group does that user belong?

run the effective permissions for that user to see whether that sheds light on the issue.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

andrew nycAuthor Commented:
arnold
the effective permissions for the users work fine

i been here for over 12 hours trying too figure this out,
right now i just beed to do something so i can getthe user profiles back to the local machine and i will manually transfer the files over  
how can i do that??
the gpo has been deleted so i can not just easily change the gpo on it
arnoldCommented:
to revert manually, you need to edit the user's ntuser.dat file
software\microsoft\windows\currentversion\explorer\shell folders\ change from the redirected to local.
Appdata
Desktop
Personal

change it to c:\users\<username>\
You may want to rename the others and create these so you have a reference.


Do you have access to the user's files?
if not, leave them, after the user logs in twice, tne redirect should once again be in place.

Double check the share permissions to make sure that is not what is preventing this user's access....
andrew nycAuthor Commented:
i did the regedit, logged off and back on  but i still get a prompt for login after i logged in
i have access to all the files i can rename the main folders or whatever needs to be done.

i checked permissions atleast 100 times and its def not
arnoldCommented:
It is not clear what you are seeing, you might be getting prompted by GPO scripts to gain access to resources i,e. mapped drives, etc.

One option might be to rename the local profileile /remote prof and have the user login with a new profile being generated.....
andrew nycAuthor Commented:
your regedit solution worked for me to get the profiles back to local which was most important!
THANK YOU!!

the map drives still are not working for some reason,  also would it be safe so create new GPO for file redirects now?  how do i know that there is no ghost GPO in the server that was ruining things?
andrew nycAuthor Commented:
I also am having WMI issues, I know i accepted solution but if you can help me please

thanks
arnoldCommented:
what is the WMI error do you see?
Deals with missing registry entry?
arnoldCommented:
The client has to have gpupdate /force

i do not believe your issue was GPO related.  The GPo was more of a symptom where the  sharing/security permissions were not hashed out, and granting all admin rights through a nested group hid the ........

Usually when such things occur, one should always make sure the shares, sharing/security permissions are adjusted prior to testing one account by removing it from the netsted group.  If that works, a subset of remaining users then follow...

This way you can control/minimize the number of users that might be impacted by the change as well as controlling how many issues need to be resolved.  Difficulty one might not have the full details of which shares each needs and .....
andrew nycAuthor Commented:
can i reopen this issue? because it did not fully get fixed it is still acting up
andrew nycAuthor Commented:
ok so i have 2 users where the gpo will not refresh on their computer  it keeps using an old gpo

All thr other users are working find but these 2

i deleted the gpo registries in regedit and history in program data and I still cant get it to pull the new GPo
NVITEnd-user supportCommented:
Maybe unjoining then rejoining the domain can help.
arnoldCommented:
there are different things that may contribute to this issue, double check which logon server these workstations authenticate against.  it might be that your AD replication (dcdiag).....

going this route (unjoin/rejoin, or use netdom to rejoin)
Make sure that you have a local admin account before unjoining.

unjoin, possibly deleting the old AD computer account......

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.