Permissions hosed on a Windows 2000 Domain Controller

coax31

One of hour branch office Windows 2000 server DCs had the permissions hosed and now I cannot login, I receive this error: "The system cannot log you on. The specified module cannot be found. Please try again or consult your systems administrator"

I get this error with any domain admin account I try, former employee removed the everybody group from C NTFS permissions. Any advice? Will an inplace upgrade help or do I have to rebuild the server.


thanks,

snadam

coax31 wrote:

One of hour branch office Windows 2000 server DCs had the permissions hosed and now I cannot login, I receive this error: "The system cannot log you on. The specified module cannot be found. Please try again or consult your systems administrator"

I get this error with any domain admin account I try, former employee removed the everybody group from C NTFS permissions. Any advice? Will an inplace upgrade help or do I have to rebuild the server.


thanks,

first thing I would do is try and log in as the LOCAL admin on that box. You should be able to set the NTFS permissions with that account.

royal

That would be possible if DCs had a SAM database for local accounts. DCs are not like member servers, standalone servers, and workstations in the sense that they have local accounts. You can only use an AD account for DC logins. Can you try a last known good configuration? Can you get into safe mode at all?

snadam

royal wrote:

That would be possible if DCs had a SAM database for local accounts. DCs are not like member servers, standalone servers, and workstations in the sense that they have local accounts. You can only use an AD account for DC logins. Can you try a last known good configuration? Can you get into safe mode at all?

would help if I READ that tiny detail that its a DC...my bad...

royal

Also, if Last Known doesn't work, you can try just letting your DC sit at the login prompt, go to an MMC on another machine, and try remotely running DCSecurity.inf on the messed up DC. Be warned though, other applications installed on that DC could malfunction due to the DCSecurity.inf resetting permissions to default.

sprkymrk

Can you log into another computer as a domain admin, then remotely access the remote drive and modify the permissions?

coax31

how can I access the remote drive? By typing Start - Run \\server\c$ when I do that it says access denied.

dtlokee

It's an off the wall thought, but can you put the drive in another compuer in the domain and add the everyone group back in? The other though would be something like winternals, I think you can edit file system permissions with that.

Warning: I have never tried this

iowatech

Longshot, can you remote into the system using a domain admin account and take ownership of the drive? Or have you tried doing so already.

coax31

I cannot remote to it, it will not let me login. How can I run MMC to remotely connect to the server?

iowatech

Generally you will add the "Remote Desktop" snap-in into a MMC console then add which server you want to connect to from there.

sprkymrk

I think your only option is going to be a restore from backup on the system state. If "everyone" was removed, and "System" or "Administrators" or something else was not added in at the same time, I'm not aware of a fix. The normal fixes assume you have admin access.

Maybe a linux boot disk or ERD Commander.

coax31

I'll try ERD commander, I have a copy of that. Nice 1911 do you own one? I prefer a Glock 21.

dynamik

This might be a stupid question, but does Server 2000 have Directory Services Restore Mode? I'm not familiar with 2000. Would that allow you to pop in and poke around?

sprkymrk

dynamik wrote:

This might be a stupid question, but does Server 2000 have Directory Services Restore Mode? I'm not familiar with 2000. Would that allow you to pop in and poke around?

I don't think restoring the AD database will restore NTFS permissions on a drive.

coax31 wrote:

Nice 1911 do you own one? I prefer a Glock 21.

I own a few.
I also own a Glock 23 and 27.

dynamik

sprkymrk wrote:

I don't think restoring the AD database will restore NTFS permissions on a drive.

I didn't mean for him to restore the AD database, just log in. It wasn't that stupid of a question

I actually just tried this with a 2003 VM. I removed all the permissions from the C:\ drive, rebooted. Of course I got numerous errors.

I then rebooted and successfully got into directory services restore mode (only got an error about the paging file being too small or non-existant), and I was able to set permissions on the drive again.

sprkymrk

dynamik wrote:

sprkymrk wrote:

I don't think restoring the AD database will restore NTFS permissions on a drive.

I didn't mean for him to restore the AD database, just log in. It wasn't that stupid of a question

I actually just tried this with a 2003 VM. I removed all the permissions from the C:\ drive, rebooted. Of course I got numerous errors.

I then rebooted and successfully got into directory services restore mode (only got an error about the paging file being too small or non-existant), and I was able to set permissions on the drive again.

Cool. Now hopefully he knows what the DS Restore password is.

blargoe

All that happened is REMOVING everyone from C: permissions? If it's default, Administrators domain local group should still have full perms on the C drive. Something else has to have happened in addition. But in theory, you should be able to pop out the drive and put it in another computer and add back the everyone group, and/or retake ownership of the drive. Also, booting to something like Ultimate boot CD for Windows or ERD and doing the same.

Do you have another functional DC? If you do, I personally would seize the FSMO roles the messed up DC holds, make sure DNS/DHCP/WINS are moved to another server if this messed up server is currently hosting it, and rebuild.

If you don't have another functional DC, you could set one up and do the same procedure if your DC isn't so hosed up as to allow replication of the AD database.

Or, restore from tape.

coax31

I fixed it with the ERD disk, I am suprised the ERD Commander 2002 CD recoginized the RAID controllers logical drive. I opened my computer in ERD and clicked reset permissions and it applies the Everyone group with full control to the C:, worked like a charm.

coax31

Oh, by the way thanks for all of your help. Good luck on all of your certification pursuits.

dynamik

coax31 wrote:

I fixed it with the ERD disk, I am suprised the ERD Commander 2002 CD recoginized the RAID controllers logical drive. I opened my computer in ERD and clicked reset permissions and it applies the Everyone group with full control to the C:, worked like a charm.

Glad to you got everything working again. Thanks for sharing your solution.