Announcement

Collapse
No announcement yet.

DC GPO Administrator Lockout

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DC GPO Administrator Lockout

    i have a virtual server, and on one of my dc's within the host, i created 2 new gpo's, one off of the dc controllers policy, and one of of the domain policy, now when i log in as administrtor, i can't get administrator tools which i set to lock out standard users.

    I have no control over my DC, i tried to log in locally from the virtual client as administrator, using the bios name, but still won't let me in. What can i do

  • #2
    Re: DC GPO Administrator Lockout

    Do you have another DC you can access the GPO from?
    Can you install the GP Management tools on a client and undo the DC changes from there?

    Failing both, try safe mode
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: DC GPO Administrator Lockout

      Originally posted by Kobe 310 View Post
      I have no control over my DC, i tried to log in locally from the virtual client as administrator, using the bios name, but still won't let me in. What can i do
      If it;'s a DC, you will ONLY be able to logon as the domain administrator, or other authorised user - there is no longer a local user account (which I assume you mean by Biosname)
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: DC GPO Administrator Lockout

        Yes, i think what happened is i linked the gpo's in a way in which is making the administrator getting standard user credendials

        how do i log in as a domain administrator,


        username:domain\domain administrator
        Last edited by Kobe 310; 20th June 2011, 17:19.

        Comment


        • #5
          Re: DC GPO Administrator Lockout

          domain\administrator will log on as THE domain admin, but GPOs will still be applied
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: DC GPO Administrator Lockout

            i misunderstood, that's how i have been logging on, it seems that i am screwed?

            Rebuild new DC? Or is there another way, i just need to get to the gpo's, i turned everything off in gpo, search, run cmd, c:

            Comment


            • #7
              Re: DC GPO Administrator Lockout

              i was able to get to the gpo, thank god, server manager pops up automatically, didn't know i could get in through there. However, i am still attached to the gpo that i set for the users. seems like i get half of admins rights adn half of users profile. i am comparing administrator to a good DC, that i have running, and on the good one, if i go to properties of the administrator, i have 5 rows of tabs, missing;

              security
              attribute editor
              published certificates
              delegation
              password replication
              object


              any ideas?

              i had created a gpo and was working fine for users that didn't apply to the administrator, has been working fine for about 2 months, then i am pretty sure i did something with the linking on the gpo's, don't remember what i did, anyways when i got in the gpo just now, the users gpo i created was linked, so i unlinked it, and now i can see a few things that i didn't before, but some things i still can't.

              for instance, on the users gpo one of the rules is to hide specific drives, it still applies but i can see it now, i had hid the recycle bin, rule still applies, but i can see it. but there are some rules that are applying still to me from the users gpo.

              i just logged into my terminal server (seperate box), i am getting the same thing, what gives, no administator tools, etc
              Last edited by Kobe 310; 20th June 2011, 22:58.

              Comment


              • #8
                Re: DC GPO Administrator Lockout

                ok, since last post, i have deleted that gpo, created a new one, set some policies, same as last post, nothing has changed, still can't see admin tools etc, however, if i create a new user, their profile looks the way it should. i can see admin tools, windows security, control panel, etc. the polices that i set, like, hide drives a,b,c,and d are working.

                SOMEHOW, the profiles created PRE-MYISSUE, is still attached to a gpo, even though under grop policy objects, there are only 3 policys, ddp, ddcp, and mine.

                Still doesn't explain why the administrator profile is missing tabs in the properties???

                Comment


                • #9
                  Re: DC GPO Administrator Lockout

                  with some GPO settings, it's not enough to just disable the GPO link.
                  You have to actually unset the item.

                  I guess what i'm saying here is,
                  if you have a GPO That says turn on screen saver after 15 minutes is enabled
                  and you then unlink that GPO
                  the screen saver will come on after 15 minutes.
                  you need to set the screensaver setting to be "disabled" instead.


                  (note, i'm using the screensaver setting as a simplistic example.. i'm not even certain this one functions in this way)
                  Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                  Comment

                  Working...
                  X