I've renamed and deleted the administrator account on a Windows 2000 domain controller (oops) and now I can no longer open Domain Controller Security Policy, Domain Security Policy or the Local Security Policy from Administrative Tools. I can open Active Directory Users and Computers and right-click on Domain Controllers, click on properties, click on Group Policy, click on Default Domain Controllers Policy and click Edit. However, if I make a change to the User Rights Assignment, it isn't actually applied on the Domain Controller. Is there anything that I can do to get the Local Security policy back? I've already tried using MMC Security Configuration and Analysis snap-in, but it gives me an error message when I try to import a security template about an extended error. Anybody have any ideas?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Administrator account deleted
- Thread starter jimatkci
- Start date
GlenJohnson
MIS
1) Do a restore from a backup?
2) Recreate the Admin account?
Good luck.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Action is the proper fruit of knowledge."
Thomas Fuller (1610-1661); English scholar, preacher
2) Recreate the Admin account?
Good luck.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Action is the proper fruit of knowledge."
Thomas Fuller (1610-1661); English scholar, preacher
- Thread starter
- #4
The server is a domain controller so there really are no local users. The account that was renamed and deleted was the administrator account that is installed with 2000 server by default. Technically, I guess it was a local account and a domain account. I can't really do a full restore from backup because this all started about a week ago and a couple of software packages and A LOT of data has been added since then. If I knew exactly what to restore that would help. As far as recreating the administrator account, that doesn't help because it doesn't generate the same SID.
I was under the impression that it is impossible to delete an administrator account, even the domain account. Microsoft did this so that you can't lock yourself out of your computers. You are allowed to rename the account, but, you shouldn't be allowed to delete the renamed account. Maybe I'm way off... 
Are you sure you deleted the right renamed account?
Are you sure you deleted the right renamed account?
- Thread starter
- #6
I thought so too, but I can't find an account that is not an account that was existing before I renamed the administrator account and the username that I thought I renamed it to no longer exists. I have domain administrator accounts that I can use to log on to the server, but the actual administrator account no longer exists.
chriseubank
MIS
Here's a good suggestion:
Run MMC as a scheduled task so it runs in the SYSTEM context and re-create the administrator account.
Good luck!
Chris
Run MMC as a scheduled task so it runs in the SYSTEM context and re-create the administrator account.
Good luck!
Chris
RobBentley
IS-IT--Management
- May 10, 2003
- 199
- 0
- 0
He wont be able to do that because to schedule a task
you have to be an administrator or a power user
and power users group doesnt exist on a domain controller
and his admin account has been deleted.
The only way he can do it is the way i did it.
Take the hard disk out and insert it into another machine
as a second disk drive. Then NTFS permissions on the
second drive wont have any effect.
From their using the other PC you can copy a renamed
copy of cmd.exe and overwrite logon.scr.
Then put the disk out back. Boot to the logon screen
and when (after about 5mins) the logon screensaver
kicks in it will launch a command window.
From their you can type mmc or whatever you want
to allow you system access to restore the account.
Robert
you have to be an administrator or a power user
and power users group doesnt exist on a domain controller
and his admin account has been deleted.
The only way he can do it is the way i did it.
Take the hard disk out and insert it into another machine
as a second disk drive. Then NTFS permissions on the
second drive wont have any effect.
From their using the other PC you can copy a renamed
copy of cmd.exe and overwrite logon.scr.
Then put the disk out back. Boot to the logon screen
and when (after about 5mins) the logon screensaver
kicks in it will launch a command window.
From their you can type mmc or whatever you want
to allow you system access to restore the account.
Robert
chriseubank
MIS
Domain admins can run a scheduled task on the DC can they not?
RobBentley
IS-IT--Management
- May 10, 2003
- 199
- 0
- 0
Yes, but if he's got a domain admin account
to use thats the sufficiant privilages to
re-create the administrator account anyway, hence
i presumed he's no created a domain admins account.
to use thats the sufficiant privilages to
re-create the administrator account anyway, hence
i presumed he's no created a domain admins account.
BWilson77080
MIS
was the admin account in a seperate OU that can be authoritviely restored? You should be able to authoritvely restore the single account with ntdsutil in directory services restore mode, or if it was in an OU that can be authoritively restored, restore that OU.
As long as you have mroe than 1 DC, only what you authoritvely restore will take precendence over whats on the other DCS, in other words, if you authroitively restore the admin account (if you're able to), then that will be the only info updated in the schema
what account are you using now?? another with admin privelages??
Do you have an available enterprise admins or schema admins account to use, or is that the one you deleted?
If you deleted the enterprise and schema admin accounts, and they were the only ones, you're pretty much screwed, because to authoritivly restore the particualr admin account, youll need those credentials (if im remembering right anyway)
BWilson77080
MCSE2000, A+
As long as you have mroe than 1 DC, only what you authoritvely restore will take precendence over whats on the other DCS, in other words, if you authroitively restore the admin account (if you're able to), then that will be the only info updated in the schema
what account are you using now?? another with admin privelages??
Do you have an available enterprise admins or schema admins account to use, or is that the one you deleted?
If you deleted the enterprise and schema admin accounts, and they were the only ones, you're pretty much screwed, because to authoritivly restore the particualr admin account, youll need those credentials (if im remembering right anyway)
BWilson77080
MCSE2000, A+
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question