Locked myself out of AD

[Josh]

So I've managed to shoot myself in the foot in a pretty good fashion. I
was putzing around with my AD setup trying to get things configured in
such a way as to give my new computer tech the ability to help out but
not do too much damage (irony, irony irony). In the process, I created a
computer tech group, gave that group permissons for managing AD objects
in the policy for the domain, and then applied the policy without adding
any members into the group. Now, I get a logon failed if I try and
manage the AD. This is, of course, compounded by the fact that I don't
have a recent backup of this machine.

So, I am faced with needing to do one of two things, find an undo button
that will allow me to go back to where things were yesterday morning, or
find some way to sneak me into the computer tech group. Any thoughts or
tips are welcome.

Thanks,
Josh

 

[Dave Shaw [MVP]]

Try this:

http://support.microsoft.com/?kbid=226243

The default Domain Group Policy object (GPO) contains many default security
settings. Sometimes, changing the default settings may produce unwanted
effects. Unwanted effects may also result if the contents of the Sysvol
folder are manually rebuilt or are restored from a backup.

This article describes how to reset security settings in the default Domain
GPO. The default security policy settings are reset by editing the
Gpttmpl.inf file that is located in the Sysvol folder.

This is to be done with caution. A damaged Gpttmpl.inf file may make your
domain controller inoperable. After you complete this procedure, any
configured settings in the default Domain GPO will be lost, and you will
have to re-configure and re-apply your required settings.
-ds