Permissions hosed on a Windows 2000 Domain Controller
One of hour branch office Windows 2000 server DCs had the permissions hosed and now I cannot login, I receive this error: "The system cannot log you on. The specified module cannot be found. Please try again or consult your systems administrator"
I get this error with any domain admin account I try, former employee removed the everybody group from C NTFS permissions. Any advice? Will an inplace upgrade help or do I have to rebuild the server.
thanks,
I get this error with any domain admin account I try, former employee removed the everybody group from C NTFS permissions. Any advice? Will an inplace upgrade help or do I have to rebuild the server.
thanks,
Comments
-
snadam Member Posts: 2,234 ■■■■□□□□□□coax31 wrote:One of hour branch office Windows 2000 server DCs had the permissions hosed and now I cannot login, I receive this error: "The system cannot log you on. The specified module cannot be found. Please try again or consult your systems administrator"
I get this error with any domain admin account I try, former employee removed the everybody group from C NTFS permissions. Any advice? Will an inplace upgrade help or do I have to rebuild the server.
thanks,
first thing I would do is try and log in as the LOCAL admin on that box. You should be able to set the NTFS permissions with that account.**** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine
:study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security -
royal Member Posts: 3,352 ■■■■□□□□□□That would be possible if DCs had a SAM database for local accounts. DCs are not like member servers, standalone servers, and workstations in the sense that they have local accounts. You can only use an AD account for DC logins. Can you try a last known good configuration? Can you get into safe mode at all?“For success, attitude is equally as important as ability.” - Harry F. Banks
-
snadam Member Posts: 2,234 ■■■■□□□□□□royal wrote:That would be possible if DCs had a SAM database for local accounts. DCs are not like member servers, standalone servers, and workstations in the sense that they have local accounts. You can only use an AD account for DC logins. Can you try a last known good configuration? Can you get into safe mode at all?
would help if I READ that tiny detail that its a DC...my bad...**** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine
:study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security -
royal Member Posts: 3,352 ■■■■□□□□□□Also, if Last Known doesn't work, you can try just letting your DC sit at the login prompt, go to an MMC on another machine, and try remotely running DCSecurity.inf on the messed up DC. Be warned though, other applications installed on that DC could malfunction due to the DCSecurity.inf resetting permissions to default.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Can you log into another computer as a domain admin, then remotely access the remote drive and modify the permissions?All things are possible, only believe.
-
coax31 Member Posts: 117 ■■■□□□□□□□how can I access the remote drive? By typing Start - Run \\server\c$ when I do that it says access denied.
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□It's an off the wall thought, but can you put the drive in another compuer in the domain and add the everyone group back in? The other though would be something like winternals, I think you can edit file system permissions with that.
Warning: I have never tried thisThe only easy day was yesterday! -
iowatech Member Posts: 120Longshot, can you remote into the system using a domain admin account and take ownership of the drive? Or have you tried doing so already.
-
coax31 Member Posts: 117 ■■■□□□□□□□I cannot remote to it, it will not let me login. How can I run MMC to remotely connect to the server?
-
iowatech Member Posts: 120Generally you will add the "Remote Desktop" snap-in into a MMC console then add which server you want to connect to from there.
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□I think your only option is going to be a restore from backup on the system state. If "everyone" was removed, and "System" or "Administrators" or something else was not added in at the same time, I'm not aware of a fix. The normal fixes assume you have admin access.
Maybe a linux boot disk or ERD Commander.All things are possible, only believe. -
coax31 Member Posts: 117 ■■■□□□□□□□I'll try ERD commander, I have a copy of that. Nice 1911 do you own one? I prefer a Glock 21.
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□This might be a stupid question, but does Server 2000 have Directory Services Restore Mode? I'm not familiar with 2000. Would that allow you to pop in and poke around?
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□dynamik wrote:This might be a stupid question, but does Server 2000 have Directory Services Restore Mode? I'm not familiar with 2000. Would that allow you to pop in and poke around?
I don't think restoring the AD database will restore NTFS permissions on a drive.coax31 wrote:Nice 1911 do you own one? I prefer a Glock 21.
I own a few.
I also own a Glock 23 and 27.All things are possible, only believe. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□sprkymrk wrote:I don't think restoring the AD database will restore NTFS permissions on a drive.
I didn't mean for him to restore the AD database, just log in. It wasn't that stupid of a question
I actually just tried this with a 2003 VM. I removed all the permissions from the C:\ drive, rebooted. Of course I got numerous errors.
I then rebooted and successfully got into directory services restore mode (only got an error about the paging file being too small or non-existant), and I was able to set permissions on the drive again. -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□dynamik wrote:sprkymrk wrote:I don't think restoring the AD database will restore NTFS permissions on a drive.
I didn't mean for him to restore the AD database, just log in. It wasn't that stupid of a question
I actually just tried this with a 2003 VM. I removed all the permissions from the C:\ drive, rebooted. Of course I got numerous errors.
I then rebooted and successfully got into directory services restore mode (only got an error about the paging file being too small or non-existant), and I was able to set permissions on the drive again.
Cool. Now hopefully he knows what the DS Restore password is.All things are possible, only believe. -
blargoe Member Posts: 4,174 ■■■■■■■■■□All that happened is REMOVING everyone from C: permissions? If it's default, Administrators domain local group should still have full perms on the C drive. Something else has to have happened in addition. But in theory, you should be able to pop out the drive and put it in another computer and add back the everyone group, and/or retake ownership of the drive. Also, booting to something like Ultimate boot CD for Windows or ERD and doing the same.
Do you have another functional DC? If you do, I personally would seize the FSMO roles the messed up DC holds, make sure DNS/DHCP/WINS are moved to another server if this messed up server is currently hosting it, and rebuild.
If you don't have another functional DC, you could set one up and do the same procedure if your DC isn't so hosed up as to allow replication of the AD database.
Or, restore from tape.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
coax31 Member Posts: 117 ■■■□□□□□□□I fixed it with the ERD disk, I am suprised the ERD Commander 2002 CD recoginized the RAID controllers logical drive. I opened my computer in ERD and clicked reset permissions and it applies the Everyone group with full control to the C:, worked like a charm.
-
coax31 Member Posts: 117 ■■■□□□□□□□Oh, by the way thanks for all of your help. Good luck on all of your certification pursuits.
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□coax31 wrote:I fixed it with the ERD disk, I am suprised the ERD Commander 2002 CD recoginized the RAID controllers logical drive. I opened my computer in ERD and clicked reset permissions and it applies the Everyone group with full control to the C:, worked like a charm.
Glad to you got everything working again. Thanks for sharing your solution.