Re: Edit restricted groups at domain level now locked out

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/17/04 

Date: Fri, 17 Dec 2004 13:33:55 -0600

Logon as the built in administrator account for the domain and you should
still be able to access and change/repair settings. Another solution would
be to do an authoritative restore of Active Directory which requires that
you have a backup of the System State of a domain controller before this all
happened and boot into Directory Services Restore Mode. You will also need
to know the password for the "local" administrator account to the domain
controller to do such which is only used for Directory Services Restore and
Recovery Console. That password was created when you used dcpromo to promote
the server to domain controller. LOL that this is in a lab and that is how
we all learn without doing any real damage. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;241594&sd=tech --
how to do an authoritative restore of AD.

"simon" <simon@discussions.microsoft.com> wrote in message
news:840E22F8-B54F-4EBC-93F9-30432A1D4BD7@microsoft.com...
> Ok OK know I have been pretty stupid!!!
>
> At a domain level I edited the restricted groups in GPO to add domain
> admins
> and enterprise admins to the local administrators group on all computers
> in
> domain.
>
> Worked a treat so then wanted to document process so deleted the group in
> GPO so I could do it again and document it.
>
> Well after deleting the group in GPO I cant put it backtells me I do not
> have rights even with an enterprise admin.
>
> I guess I have in the process removed all from the administrator group on
> the domain controller as well as every other machine.
>
> Anyone got any ideas how to fix or is it a start again with this domain.
>
> Luckily am still in the lab but this could have happened easlily for real
> later when we go live so a recovery procedure would be good.

Relevant Pages

  • Re: Edit restricted groups at domain level now locked out
    ... Look at the permissions for the GPO and determine which groups have ... > you have a backup of the System State of a domain controller before this all ... > happened and boot into Directory Services Restore Mode. ... >> and enterprise admins to the local administrators group on all computers ...
    (microsoft.public.windows.group_policy)
  • Re: More than one Administrator Account and Reinstalling OS on a D
    ... The other roles you describe (Enter Admin, Domain Admin etc) do exist, but ... First to deal with the administrator question, ... > administrator account (the one that you can't remove from the administrators ... When you remove an existing Domain Controller within Active Directory, ...
    (microsoft.public.win2000.active_directory)
  • Admin Account Stalls on Client Desktops During Logon
    ... Small Business Server 2000 domain controller and client desktop logon with ... The original administrator account has been ... I can of course still login to the Server and login to ...
    (microsoft.public.win2000.active_directory)
  • Admin Account Stalls on Client Desktops During Logon
    ... Small Business Server 2000 domain controller and client desktop logon with ... The original administrator account has been ... I can of course still login to the Server and login ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Windows NT Offline Password Editor - NT Domain Controllers
    ... domain controller and use it to gain access to the domain by changing the ... I tried the method described and was able to get domain administrator access ... has to be entered to gain access to the operating system before user logon. ... > local administrator account can be changed on NT workstations, ...
    (microsoft.public.security)