Lost control of AD

[Roger Mathews]

I desparately need help with my directory. I had an issue this morning with
not being able to create user logins because of password policies in place.
When I looked at these policies they were never defined but I also saw that
the Default Domain Policy also was not active so I added it back in. This
allowed be to create the user id. Now because of the policy it has placed
restrictions so that I as the domain administrator cannot even get back into
any MMC snapins included Users & Computers, Local Policies, etc.. I'm
desparate for any suggestions.

Thanks in advance.

 

[David Brandt [MSFT]]

We can edit the policies manually, but when you say that you added the
domain policy back in, I assume that you meant that you linked it to the
Domain, but was there already some other policy already linked to the domain
too? If so is that policy still in place too, or was there just no policy
linked to the domain at all?
Also when you added it back, what things did you define, because once
something is actually defined in there then only that user/group will be
able to have that right, which is why things are generally not defined here.
Not knowing for sure what was defined in there, and what you can and can't
do now (logon locally, access machine from network, etc) the file to edit is
called GptTmpl.inf and for your Default Domain Policy is located in the
following location;
sysvol/sysvol/domain/policies/31Bxxx/machine/microsoft/windows nt/secedit
(the 6ACxxxx is your DC policy)
Note that most problems like this are most often due to edits on the DC
policy (6AC) and not Domain policy, but if you know it is the Domain policy
then the 31B will be the one to work on, but it will have little in it by
default since most is not defined.
The seinteractivelogonright is your logon locally and the
senetworklogonright is your access computer from network right.
You can edit the values there to add back builtin groups like Administrators
and Everyone. The following article gives you some of those ID's, but
Administrators is S-1-5-32-544 and Everyone is S-1-1-0
Following a reboot, those groups should then have those rights again.
If you should by chance still have another dc that hasn't had those changes
replicated to it for some reason, you could also just copy the entire
31Bxxxxxxxx folder over from another DC to replace the one on the troubled
box, then reboot.

243330 Well Known Security Identifiers in Windows 2000
http://support.microsoft.com/?id=243330

267553 How to Reset User Rights in the Default Domain Controllers Group
Policy
http://support.microsoft.com/?id=267553

If your problem is not then logging on locally or accessing the box from
network, please give the exact error msg you get when trying to open the
different snapins and policies as they can vary depending on the problem.
thanks

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Roger Mathews]

Excellent information, thank you very much. Yes, I just re-linked the
policy back to the root level domain. There are also other special purpose
GPO's for proxy setup, control panel lock-down etc.. I'm not sure what
exactly is defined in the domain policy since I didn't believe anyone has
ever altered. I will keep you posted. Thanks again.

 

[Roger Mathews]

David,

The two policies below have been verified and they look ok. A couple of the
specific symtoms we are experiencing is loss of access to the C: drive of
local workstations and the C: drive of the servers. It appears to be a
browser issue since we can directly open a file from the C: drive (start/run
c:\test.txt) but we just can't navigate. People can log in and use there
software but accessing from "My computer" doesn't even show the drive.
Another systom is loss of access to MMC which is making these diagnostics
difficult. I think these are related. I'm not familiar with a policy that
blocks browsing of a drive and security on those drives seem intact.

 

[David Brandt [MSFT]]

Glad that got you going. About the only thing that is defined by default in
the Domain policy are the settings for pw.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Roger Mathews]

David,

I hope I'm not being a pest. I did find that the Default Domain Policy is
in fact killing my network. By navigating the USER folder of each policy
and viewing the registry.pol file I found that MMC is being disabled. I
couldn't see anything regarding the restricted drives but once I have access
to group policy editing that shouldn't be an issue. My question is can I
delete or rename this registry file to in affect disable it with creating
other global issues? Not sure how file replication will come into play with
this attempt.

Thanks again for your assistance.