none
Set Deny permissions on GPO at the domain level now locked out of AD

    Question

  • I can't believe it. I stupidly wasn't paying attention to the container I was deny permissions on for administrative accounts and set them to read deny. I did it to stop group policies from executing on a server.

    Now I'm in a world of hurt and am looking for answers.

    When I run dcdiag I get the following;

    -----------------------

    Domain Controller Diagnosis

    Performing initial setup:
       [server] LDAP bind failed with error 1323,
       Win32 Error 1323.
       ***Error: The machine could not attach to the DC because the credentials
       were incorrect.  Check your credentials or specify credentials with
       /u:<domain>\<user> & /p:[<password>|*|""]

    ------------------------

    It looks like my domain has gone away but I know it's there.

    Any clues?


    Tuesday, February 21, 2017 6:05 AM

Answers

  • Problem was resolved by another tech. He had to remove the user EVERYONE from the security on the folders and then restart the server. Then marked administrators as allowed.
    Wednesday, February 22, 2017 2:19 PM

All replies

  • I ran dcdiag on a bdc and got the following;

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = MCTdc
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\MCTDC
          Starting test: Connectivity
             ......................... MCTDC passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\MCTDC
          Starting test: Advertising
             ......................... MCTDC passed test Advertising
          Starting test: FrsEvent
             ......................... MCTDC passed test FrsEvent
          Starting test: DFSREvent
             ......................... MCTDC passed test DFSREvent
          Starting test: SysVolCheck
             ......................... MCTDC passed test SysVolCheck
          Starting test: KccEvent
             ......................... MCTDC passed test KccEvent
          Starting test: KnowsOfRoleHolders
             Warning: MCTDC could not resolve the name for role
             PDC Owner.
             The name error was Not Found.
             Warning: MCTDC could not resolve the name for role
             Rid Owner.
             The name error was Not Found.
             Warning: MCTDC could not resolve the name for role
             Infrastructure Update Owner.
             The name error was Not Found.
             ......................... MCTDC failed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... MCTDC passed test MachineAccount
          Starting test: NCSecDesc
             Fatal Error: Cannot retrieve SID
             ......................... MCTDC failed test NCSecDesc
          Starting test: NetLogons
             ......................... MCTDC passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... MCTDC passed test ObjectsReplicated
          Starting test: Replications
             ......................... MCTDC passed test Replications
          Starting test: RidManager
             The "RID manager reference" could not be found for domain DN
             DC=domain,DC=net. The lack of a RID manager reference indicates that
             the Security Accounts Manager has not been able to obtain a pool of
             RIDs for this machine. The Directory will not allow Netlogon to
             advertise this machine until the system has been able to obtain a RID
             pool. Please verify that this system can replicate with other members
             of the enterprise. Failure to replicate with the RID FSMO owner can
             prevent a system from obtaining a RID Pool.
             Warning: attribute FSMORoleOwner missing from (null)
             ......................... MCTDC failed test RidManager
          Starting test: Services
             ......................... MCTDC passed test Services
          Starting test: SystemLog
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:12:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:17:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:22:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:27:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:32:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:36:31
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object DC=domain,DC=net. Group Policy settings will not be enforced u
    ntil this event is resolved. View the event details for more information on this
     error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:37:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:42:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:47:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:52:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   00:57:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   01:02:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             An error event occurred.  EventID: 0x0000044D
                Time Generated: 02/21/2017   01:07:26
                Event String:
                The processing of Group Policy failed. Windows could not locate the
    directory object OU=Domain Controllers,DC=domain,DC=net. Group Policy settings
    will not be enforced until this event is resolved. View the event details for mo
    re information on this error.
             ......................... MCTDC failed test SystemLog
          Starting test: VerifyReferences
             ......................... MCTDC passed test VerifyReferences


       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation

       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : mctague
          Starting test: CheckSDRefDom
             ......................... domain passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... domain passed test CrossRefValidation

       Running enterprise tests on : domain.net
          Starting test: LocatorCheck
             ......................... domain.net passed test LocatorCheck
          Starting test: Intersite
             ......................... domain.net passed test Intersite


    Tuesday, February 21, 2017 6:11 AM
  • Hi

     Try to restore Default Domain,Default Domain Controller policy;give a try this;

    http://windowsitpro.com/group-policy/how-can-i-restore-contents-default-domain-and-default-domain-controller-dc-group-policy

    https://support.microsoft.com/en-us/help/226243/how-to-reset-security-settings-in-the-default-domain-gpo-in-windows-2000


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, February 21, 2017 8:24 AM
  • It restored the Domain Controller Group Policy but not the Default Domain Group Policy, or so it claimed.

    When I attempt to go into AD users and computers I get the following;

    

    Tuesday, February 21, 2017 9:45 AM
  •  If you have any recent System State backup for your DC of you did GPOs backup, you can restore it to another test location, look in %WINDIR%\SYSVOL\domain\Policies for that GUID and copy it to the DC back (to the same location %WINDIR%\SYSVOL\domain\Policies). It will be repl;icated to all DCs and you will be able again to see it in \\domain.local\SYSVOL and edit from GPMC.

    This will probably solve your issue.

    Tuesday, February 21, 2017 1:36 PM
  • Problem was resolved by another tech. He had to remove the user EVERYONE from the security on the folders and then restart the server. Then marked administrators as allowed.
    Wednesday, February 22, 2017 2:19 PM