Domain Administrator have lost all rights

G

Guest

i have a single DC w2k sp4.
I set up a restricted group in the AD to give workstation users - local
admin access.
I must have made a mistkae cos As soon as I set it up it stopped all my
domain admin access and IUSR access from the server. I have completely
removed all traces of the groups and related policy but the admin access
never returns.

Tried restarting server.

what to do????? please help!!
 
P

ptwilliams

Restricted groups replaces group membership - it doesn't merge (well, it
can, but I can't remember the SP versions, and KBs). That's why it's called
restricted groups - you restrict what members are in what groups. Just open
up the GPO that you defined this in and add the domain admins group and any
other missing groups at the GPO level.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


i have a single DC w2k sp4.
I set up a restricted group in the AD to give workstation users - local
admin access.
I must have made a mistkae cos As soon as I set it up it stopped all my
domain admin access and IUSR access from the server. I have completely
removed all traces of the groups and related policy but the admin access
never returns.

Tried restarting server.

what to do????? please help!!
 
G

Guest

Thanks but I have deleted all GPO's and restricted groups and restarted the
server but the Domain Admin access is still restricted.
eg. I can't access any remote workstation c$ drive, I can't look at files
that have administrator Full control permissions, I can't access any
http://localhost web sites from the server.

How can I get back control???
 
A

Andrew Mitchell

=?Utf-8?B?RmFicnVzc2lv?= said:
Thanks but I have deleted all GPO's and restricted groups and restarted
the server but the Domain Admin access is still restricted.
eg. I can't access any remote workstation c$ drive, I can't look at
files that have administrator Full control permissions, I can't access
any http://localhost web sites from the server.

How can I get back control???
Click to expand...

As Paul has already said, you need to recreate the restricted group GPO and
make sure you add the Domain Admins group.
 
G

Guest

thanks, so do I do this on the DC itself?
I originally followed tip on http://www.jsiinc.com/SUBK/tip5300/rh5319.htm
which says to add the GPO on a member server\computer with adminpak and
browse for
the local administrators group.
Why will putting the domain administrator in a restricted local admistrator
group give back domain rights?

i am getting confused....
 
G

Guest

Do i also need to be careful to recreate the GPO in exactly the same place in
the AD with the same group names and members or doesn't it matter?

thanks
 
G

Guest

I have never changed anything in the default domain GPO, the restricted group
was in a seperate GPO called 'machines' that contains all the workstations.

Why doesn't the domain administrator get back nomal access rights after this
restricted group and GPO setting has been deleted?

thanks for all help..
 
E

Enkidu

How long did you wait? It could take eight hours for the GPOs to
propogate, if you don't do anything else. Or you could issue the
command "secedit /refreshpolicy machine_policy".

Cheers,

Cliff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

restricted groups have broken Admin access....help! 2
all domain user should have admin rights on single computer 2
Migration Woes -the system cannot log you on now because the domain <domain>is not available 1
Domain Controller Crashed - Other servers don't have 'copies' of A 2
domain administrator restricted on new secondary DC 1
Time Skew 3
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
W2K AD Domain issues, migration and rename native mode 3

Top