No announcement yet.

Desperate situation...

  • Filter
  • Time
  • Show
Clear All
new posts

  • Desperate situation...

    I am confronted with a terrible situation...

    One of my support guys was playing with Group policy and he accidentally removed the administrator group from all group policies. Other users in the domain are correctly included however.

    As a result, no administrator account can log on to domain controllers now. The "interactive logon" is being denied. I logged-in with another user that was not removed from the group policy object's security, but NOT a member of the admin group as well or with rights to add/modify groups in AD, to try to find a way either to add the current user to the admin group via a utility or to restore the admin accounts to the group policy security.

    So far, I have failed to find a way to do so. The only thing I can think of is to try to login in AD restore mode and add the user manually to the admin group from there, reboot and log in with the admin-now user and change the gpo. Is there another way of doing it? Can you suggest something, as the runas utility in association with mmc or anything other has failed miserably.

    Your help is much appreciated as we have been locked out of all DCs (!!!!). Needless to say what the repercussions will be and the replanning that need to be done, after this needle in a haystack situation...

  • #2
    Re: Desperate situation...

    Are you talking about permissions on the GPT (the part of GPOs that resides in SYSVOL), GPC (the part in AD) or both ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Desperate situation...

      The guy went on the Group Policy Object within AD and removed the Administrator group from the Security tab.

      Hope that helps...