none
Lost Admin Access to Server, possibly UAC gpo problem

    Question

  • I have a Windows network that has evolved over the last 12 -years with 2000-2003-2008R2-2012 servers.  Life has been grand until this last week.  We lost manageability to a handful of servers and we cannot come up with a common denominator why the select 5-servers are refusing our domain credentials.

    The only thing that sticks out in my mind that has changed is one of our DC's, a Windows Server 2012 box forced us to install updates and restart the machine.  It was the following day that things started to break apart for us.

    When I login into a number of servers all 2008/R2 machines, I can login OK.  But I can't manage them.  I get UAC dialogue box to authenticate which I attempt with the same or another domain admin account and it fails.

    If I run GPRESULT /V >GP.TXT to get the resulting set of GPO I can see the user account is detected as a member of 'DOMAIN ADMIN' but I can't actually make changes.

    I created a GPO based on this, http://www.techrepublic.com/blog/the-enterprise-cloud/disable-uac-for-windows-servers-through-group-policy/ recommendation but it didn't help.  

    HELP!  Anybody have any ideas I can try.    Needless to say my hair is graying by the moment, LOL.

    Thursday, February 26, 2015 2:09 AM

Answers

  • > If I run GPRESULT /V >GP.TXT to get the resulting set of GPO I can see
    > the user account is detected as a member of 'DOMAIN ADMIN' but I can't
    > actually make changes.
     From a commmand prompt, run "whoami /groups" and check if you are a
    member of the local administrators.
     
    if not, examine a gpresult/gpmc modeling report for restricted groups
    settings.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, February 26, 2015 9:09 AM

All replies

  • > If I run GPRESULT /V >GP.TXT to get the resulting set of GPO I can see
    > the user account is detected as a member of 'DOMAIN ADMIN' but I can't
    > actually make changes.
     From a commmand prompt, run "whoami /groups" and check if you are a
    member of the local administrators.
     
    if not, examine a gpresult/gpmc modeling report for restricted groups
    settings.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, February 26, 2015 9:09 AM
  • Thank you Martin.  Your comment regarding Restricted Groups was enough to make me think in that direction which has resulted in correction to our access issues.
    Friday, February 27, 2015 3:30 AM