Domain admin has lost administrative rights

G

Guest

I have a windows 2000 memberserver that is also running exchange 2000 and ISA
Server 2000, and is working as a gateway to Internet for my network. It is
loged on using the domainadmin account.
One day I was trying to logg on to the server using Terminal Services, then
I got an errormessage "You do not have access to logon to this session". When
I went to check the server, I found out that the domainadmin account that was
logged on had lost rights to do anything that had with security on the
server. I also had lost rights to restart or shut down the server. The only
option I have is to log off administrator account. The other server (the
somaincontroller) is working fine.
Before this happened I diden't change any security rights on the
memberserver or the domain.
I have tried to log on using a different account that has domainadmin
rights, but this account is also restricted.
How can I get back the normal domain admin rights on this memberserver?
 
S

Steven L Umbach

First thing I would check is that the user account is still in the local
administrators group of the server using the command net localgroup
administrators. If you are using a user account in the domain admins group
that group [domain admins] would need to be in the local administrators
group which it should be by default but can be removed. The other thing to
check is that the server has proper name resolution, dc discovery,
trust/secure channel, and network connectivity to the domain controllers.
Check the logs via Event Viewer to see if anything is found that may
indicate a problem and run the support tool netdiag on it and the domain
controllers. If the server has multiple network adapters you need to make
sure the "internal" network adapter is correctly configured to use the
domain controllers only as preferred and alternate dns servers. If you use
nslookup on that server it must show only domain controller IP addresses as
DNS servers and when you enter the domain name [mydomain.com] it should
resolve to the IP addresses of domain controllers. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
 
G

Guest

The [domain admin] group is not in the local administrators group, but how
can I get it back in the group? I do not have permission to add it to the
group, and I can't find the password for the local administrator account. I
suspect that it might have been changed by someone who has got access to the
computer from the Internet.


Steven L Umbach said:
First thing I would check is that the user account is still in the local
administrators group of the server using the command net localgroup
administrators. If you are using a user account in the domain admins group
that group [domain admins] would need to be in the local administrators
group which it should be by default but can be removed. The other thing to
check is that the server has proper name resolution, dc discovery,
trust/secure channel, and network connectivity to the domain controllers.
Check the logs via Event Viewer to see if anything is found that may
indicate a problem and run the support tool netdiag on it and the domain
controllers. If the server has multiple network adapters you need to make
sure the "internal" network adapter is correctly configured to use the
domain controllers only as preferred and alternate dns servers. If you use
nslookup on that server it must show only domain controller IP addresses as
DNS servers and when you enter the domain name [mydomain.com] it should
resolve to the IP addresses of domain controllers. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

2mmy said:
No, i'm still having the problem.
Click to expand...
Click to expand...
 
S

Steven Umbach

Well if that is true and the user is not an authorized user you have a big
problem on your hands which you probably already know. Having said that there
are a few ways to proceed to gain administrator access. If you have physical
access to the server see the link below on how to download a free program that
will allow you to boot from a cd/floppy to reset the built in administrator
account.

http://www.petri.co.il/forgot_administrator_password.htm

Beyond that and if the computer is still a member of the domain with a valid
computer account and proper connectivity to domain controllers you could use
Group Policy in a couple of ways. One way is to create a Group Policy "startup"
script that uses the command [ net localgroup "domain name\domain admins" /add ]
in a notepad file saved with .bat extension or using Group Policy Restricted
Groups where domain admins is the restricted group and you configure it to be a
member of administrators. Either way you would want to do that at the
Organizational Unit level. You could create an OU for your server that is a
child OU to the OU it is currently in, move it into the OU temporarily, create
the Group Policy that has Restricted Groups or Group Policy "startup" script and
then either wait for the next GP refresh that may be up to two hours for
Restricted Groups to apply or reboot the server if possible which would be
necessary for a GP startup script to work. If you can logon to it and run
secedit to force a refresh of GP on the server that should speed up application
of Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html --- using
Restricted Groups
http://www.windowsitpro.com/Article/ArticleID/27330/27330.html -- GP startup
script example
http://support.microsoft.com/kb/322241/EN-US/ --- KB article on GP scripts

2mmy said:
The [domain admin] group is not in the local administrators group, but how
can I get it back in the group? I do not have permission to add it to the
group, and I can't find the password for the local administrator account. I
suspect that it might have been changed by someone who has got access to the
computer from the Internet.


Steven L Umbach said:
First thing I would check is that the user account is still in the local
administrators group of the server using the command net localgroup
administrators. If you are using a user account in the domain admins group
that group [domain admins] would need to be in the local administrators
group which it should be by default but can be removed. The other thing to
check is that the server has proper name resolution, dc discovery,
trust/secure channel, and network connectivity to the domain controllers.
Check the logs via Event Viewer to see if anything is found that may
indicate a problem and run the support tool netdiag on it and the domain
controllers. If the server has multiple network adapters you need to make
sure the "internal" network adapter is correctly configured to use the
domain controllers only as preferred and alternate dns servers. If you use
nslookup on that server it must show only domain controller IP addresses as
DNS servers and when you enter the domain name [mydomain.com] it should
resolve to the IP addresses of domain controllers. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

2mmy said:
No, i'm still having the problem.

:

Has this been resolved yet? --- Steve


I have a windows 2000 memberserver that is also running exchange 2000
and
ISA
Server 2000, and is working as a gateway to Internet for my network. It
is
loged on using the domainadmin account.
One day I was trying to logg on to the server using Terminal Services,
then
I got an errormessage "You do not have access to logon to this
session".
When
I went to check the server, I found out that the domainadmin account
that
was
logged on had lost rights to do anything that had with security on the
server. I also had lost rights to restart or shut down the server. The
only
option I have is to log off administrator account. The other server
(the
somaincontroller) is working fine.
Before this happened I diden't change any security rights on the
memberserver or the domain.
I have tried to log on using a different account that has domainadmin
rights, but this account is also restricted.
How can I get back the normal domain admin rights on this memberserver?
Click to expand...
Click to expand...
Click to expand...
 
G

Guest

2mmy said:
I have a windows 2000 memberserver that is also running exchange 2000 and ISA
Server 2000, and is working as a gateway to Internet for my network. It is
loged on using the domainadmin account.
One day I was trying to logg on to the server using Terminal Services, then
I got an errormessage "You do not have access to logon to this session". When
I went to check the server, I found out that the domainadmin account that was
logged on had lost rights to do anything that had with security on the
server. I also had lost rights to restart or shut down the server. The only
option I have is to log off administrator account. The other server (the
somaincontroller) is working fine.
Before this happened I diden't change any security rights on the
memberserver or the domain.
I have tried to log on using a different account that has domainadmin
rights, but this account is also restricted.
How can I get back the normal domain admin rights on this memberserver?
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security Event ID 675 3
no Domain Admin rights to a Domain Server 3
Preventing Users from removing their PC from the Domain 20
Security for Win2003 Servers 3
Local domain admin account 3
domain admin rights keep changing on workstations 3
SUS - internal Update Server 0
Windows 7 Restricting Rights 2

Top