none
Local Admin accounts / OU's Missing

    Question

  • Hi guys i am having a bit of a problem, not sure what went wrong, so let me start from the beginning.

    Awhile ago i had to create a GPO, which automatically makes certain users already local admins on the computers as soon as they are joined to the domain. But what happened is, it ended up removing all the local accounts, as i have configured the wrong settings. we sorted and deleted this GPO so that it could not replicate to anything anymore, even though all previous local admin accounts were now removed.

    This was say 3-4 weeks ago, and last night (7 March 2016) i restarted our main active directory server and when i logged into it this morning, all the security group OU's are missing!! even the groups and users that were under those OU's are also missing and when you try and search them, AD users and computers tells you the object could not be found.

    when i tried recreating one of the groups it tells me it already exists but it is no where to be found..

    is this a result of the GPO that was messed up? and if so how can i fix this problem?

    please i am desperate for help

    Tuesday, March 08, 2016 9:10 AM

Answers

All replies

  • I doubt that it's caused by the GPO that you deleted previously, but anyway, could you please share more details about the GPO? What exact settings you've configured in it?
     
    Also, how many domain controller do you have in your environment? Try to run the "dcdiag.exe /V /D /C /E > c:\dcdiag.log" command from an elevated command prompt, and see if any errors in your Active Directory:
     
    https://technet.microsoft.com/en-us/library/cc731968.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, March 09, 2016 6:26 AM
    Moderator
  • the GPO was meant to be created as an easier way for admin accounts to be added as local admins on the PC, rather than having to go to each and every PC and adding it yourself:

    here is how i set it up:

    • open up group policy management console and create new GPO
    • went to edit GPO, then to Computer configuration - preferences - control panel settings - local users and groups
    • went to actions - new-local group
    • selected administrators (built-in) from the group name
    • (here is where i messed up) i ticked both boxes that said delete all member users and delete all member groups (i think i shouldve left that unticked

    after this was done it ended up removing all current local admins rather than adding the new ones, so we were without local admin privileges on the PC's. luckily we could still get onto the host where our mainad resides and disabled that GPO. but now i am still struggling to do some simple admin tasks and on our rodc's and main servers we have, no matter what method i use, i cannot add local admins anymore whereas in the past i was able to do it.

    i thought maybe i couldve been caused by permissions of this GPO because if you try and open the OU it says you dont have permissions and attribute or value cannot be viewed/found

    Wednesday, March 09, 2016 8:24 AM
  • hi have found the problem and fixed it thank you. it was corrupted ntds files
    • Marked as answer by Pheonix147 Friday, March 11, 2016 1:19 PM
    Friday, March 11, 2016 1:19 PM