HELP - Domain Admin unable to connect to DC

[airbourne]

Ok, this is really frustrating me. Another admin, who no longer works for the company, setup this domain controller at one of our remote sites. My logon, which is a domain admin, is able to do anything I want to ANY other PC or Server in the domain. This one particular domain controller says I am NOT AUTHORIZED, ACCESS DENIED.

My problem is this - why only my account, and if this is a GPO setting, what setting. We created a new user with domain admin rights, and his account works fine.

I don't want to delete and recreate my account before I find out why this went wrong. My concern is that there is a larger underlying problem that should be addressed. Yes, if I create a new user, give them domain admin rights, they can log into this server. HELP!

thank you. =)

 

[aftertaf]

Using a new domain admin-enabled account, check to see if this account has not been explicitly refused rights in active directory... its when you try to logon on to the DC that it does this???

the ex-admin has likely done this on purpose, to try to block the account...

Try accessing different PCs + servers with the pb account...
and on the DC, when lgged in with the new admin account, try opening different admin utilities using the secondary sign in and the old account
(shift and right click on icon:> run as>)
that way you will be able to see to what extent the account has been blocked....

-> you can also check the old account, see which groups it belogs to, add the new user to the same groups then at least you have an equivalent to be going on with...

sound more like malicious than buggy behaviour!

let us know the results you have...

 

[airbourne]

Ok, we located the problem. The old admin modified the local security policy specifically limiting the DC so that only DOMAIN USERS group can access via the network.

The problem occurred when I took my domain admin account out from DOMAIN USERS.

I took my account out of DOMAIN USERS, so that I could lock down my computer so that only a DOMAIN ADMIN could log into my workstation (using MMC, Local Group Policy).

I cannot tell if it was accidental, or intentional. I have checked the other domain controllers, and their Security Policy allows the typical defaults to access from the network.

My next question is, what is a best practice to keep a server secure from groups not authorized to connect over the network to a server.

Is it okay to have DOMAIN USERS and DOMAIN ADMINS as the only allowed groups/users to access via network?

What are the potential pitfalls (SQL, WEB, etc)?

 

[aftertaf]

Is it okay to have DOMAIN USERS and DOMAIN ADMINS as the only allowed groups/users to access via network? yes

for the servers: you can block with local or gpo policy, so that only admins can open a session

as for over the network: share and ntfs rights on shared folders...... (but dont touch sysvol or netlogon...)

take a look in the gpos, you can do a lot of mischief

I recommend GPMC on a XP client with sp1 and net 1.1.....

 

[rsxs]

Here maybe another option. After service pack 4 for NT4 I believe, a domain group called authenticated users became available. This security group includes domain users, domain admins, etc. When we create a share we add authenticated users and remove "everyone". If we need to control the access, we add specific accounts to the security and remove "everyone" from security.