Re: Domain Administrator have lost all rights

From: Fabrussio (Fabrussio_at_discussions.microsoft.com)
Date: 11/07/04 

Date: Sat, 6 Nov 2004 16:06:02 -0800

I have never changed anything in the default domain GPO, the restricted group
was in a seperate GPO called 'machines' that contains all the workstations.

Why doesn't the domain administrator get back nomal access rights after this
restricted group and GPO setting has been deleted?

thanks for all help..

"Enkidu" wrote:

>
> I'm pretty sure you can't remove the default domain controller's GPO.
> See if you can access that and replace the group as suggested.
>
> Try this KB article.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;226243
>
> Cheers,
>
> Cliff
>
> On Sat, 6 Nov 2004 07:50:01 -0800, Fabrussio
> <Fabrussio@discussions.microsoft.com> wrote:
>
> >Thanks but I have deleted all GPO's and restricted groups and restarted the
> >server but the Domain Admin access is still restricted.
> >eg. I can't access any remote workstation c$ drive, I can't look at files
> >that have administrator Full control permissions, I can't access any
> >http://localhost web sites from the server.
> >
> >How can I get back control???
> >
> >
> >"ptwilliams" wrote:
> >
> >> Restricted groups replaces group membership - it doesn't merge (well, it
> >> can, but I can't remember the SP versions, and KBs). That's why it's called
> >> restricted groups - you restrict what members are in what groups. Just open
> >> up the GPO that you defined this in and add the domain admins group and any
> >> other missing groups at the GPO level.
> >>
> >> --
> >>
> >> Paul Williams
> >>
> >> http://www.msresource.net
> >> http://forums.msresource.net
> >>
> >>
> >> "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
> >> news:D133FFF0-2548-4EED-9C25-F5D53B93B488@microsoft.com...
> >> i have a single DC w2k sp4.
> >> I set up a restricted group in the AD to give workstation users - local
> >> admin access.
> >> I must have made a mistkae cos As soon as I set it up it stopped all my
> >> domain admin access and IUSR access from the server. I have completely
> >> removed all traces of the groups and related policy but the admin access
> >> never returns.
> >>
> >> Tried restarting server.
> >>
> >> what to do????? please help!!
> >>
> >>
> >>
>
>

Relevant Pages

  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
  • Re: Desktop Admin - HELP
    ... restricted group in my GPO and refreshed my policy and all should be good... ... local admin rights... ... ALSO, i created a brand new GPO to use, and it had the same results... ...
    (microsoft.public.win2000.active_directory)
  • Re: restricted groups have broken Admin access....help!
    ... member server' bit and just added my choosen users to the 'administrator' ... Then the Domain Admin access was lost. ... I then tried deleting the GPO and redoing the restricted group as per ... I eventually gave up and deleted all traces of the groups and GPO, ...
    (microsoft.public.win2000.group_policy)
  • Re: Adding domain users as local XP administrators...
    ... create the new GPO and set my policy? ... >> create a restricted group policy in the domain policy that will ... >> domain has full rights to the local machine. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: RE: loopback group policy
    ... merges the settings on the Computer GPO with the Users GPO ... all explicit in the Help Section of the Loopback GPO) ... GPO's then it will still affect any workstations below it. ...
    (microsoft.public.windows.server.active_directory)