Windows 2003 Permissions removed from domain controler, how to fix

  • Thread starter Thread starter ThatsIT.net.au
  • Start date Start date
T

ThatsIT.net.au

I have a problem where a windows 2000 domain controller has had its hard
disk permissions changed.
By default everyone has full access to files on c drive.
Someone has changed this believing that it was a security risk. He removed
everyone permissions and gave administrators full control, and users read
and execute.

At next reboot the domain controller would not function, it gives a error I
can not remember at the moment, but to do with security and asks you to
reboot in directory restore mode. You can not log in and they have forgotten
the system restore password or it is not accepting it.

My guess is that the system can not access files it needs. What I want to do
is reset the permissions on the disk.

Is there any way to do this?
 
Hi ThatsIT.net.au,

Are you able to login using Last Known Good Config, or Safe Mode? If Last
Known Good Config does not work but you are able to get into your system
using Safe Mode, you can use one of these methods..
http://www.petri.co.il/change_recovery_console_password.htm to change you
recovery console/directory restore password.

Coraleigh Miller


"ThatsIT.net.au" <me@thatsit> wrote in message
news:1E0F348A-E0C7-4849-814B-84C3108A9987@microsoft.com...
>I have a problem where a windows 2000 domain controller has had its hard
>disk permissions changed.
> By default everyone has full access to files on c drive.
> Someone has changed this believing that it was a security risk. He removed
> everyone permissions and gave administrators full control, and users read
> and execute.
>
> At next reboot the domain controller would not function, it gives a error
> I can not remember at the moment, but to do with security and asks you to
> reboot in directory restore mode. You can not log in and they have
> forgotten the system restore password or it is not accepting it.
>
> My guess is that the system can not access files it needs. What I want to
> do is reset the permissions on the disk.
>
> Is there any way to do this?
 
"Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
news:%23pAtNoe3HHA.5164@TK2MSFTNGP05.phx.gbl...
> Hi ThatsIT.net.au,
>
> Are you able to login using Last Known Good Config, or Safe Mode? If Last
> Known Good Config does not work but you are able to get into your system
> using Safe Mode, you can use one of these methods..
> http://www.petri.co.il/change_recovery_console_password.htm to change you
> recovery console/directory restore password.
>


tried them all, none worked, I just finished reinstalling, I have a day of
reconfiguring ahead


> Coraleigh Miller
>
>
> "ThatsIT.net.au" <me@thatsit> wrote in message
> news:1E0F348A-E0C7-4849-814B-84C3108A9987@microsoft.com...
>>I have a problem where a windows 2000 domain controller has had its hard
>>disk permissions changed.
>> By default everyone has full access to files on c drive.
>> Someone has changed this believing that it was a security risk. He
>> removed everyone permissions and gave administrators full control, and
>> users read and execute.
>>
>> At next reboot the domain controller would not function, it gives a error
>> I can not remember at the moment, but to do with security and asks you to
>> reboot in directory restore mode. You can not log in and they have
>> forgotten the system restore password or it is not accepting it.
>>
>> My guess is that the system can not access files it needs. What I want to
>> do is reset the permissions on the disk.
>>
>> Is there any way to do this?
>
>
 
"ThatsIT.net.au" <me@thatsit> wrote in message
news:DB85D963-B47E-4C3A-ADBA-C7D46B1774AE@microsoft.com...
>
> "Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
> news:%23pAtNoe3HHA.5164@TK2MSFTNGP05.phx.gbl...
>> Hi ThatsIT.net.au,
>>
>> Are you able to login using Last Known Good Config, or Safe Mode? If
>> Last Known Good Config does not work but you are able to get into your
>> system using Safe Mode, you can use one of these methods..
>> http://www.petri.co.il/change_recovery_console_password.htm to change you
>> recovery console/directory restore password.
>>
>
>
> tried them all, none worked, I just finished reinstalling, I have a day of
> reconfiguring ahead
>

Now is a good time to review your backup policy.
 
"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:OjKC2yr3HHA.2752@TK2MSFTNGP06.phx.gbl...
>
> "ThatsIT.net.au" <me@thatsit> wrote in message
> news:DB85D963-B47E-4C3A-ADBA-C7D46B1774AE@microsoft.com...
>>
>> "Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
>> news:%23pAtNoe3HHA.5164@TK2MSFTNGP05.phx.gbl...
>>> Hi ThatsIT.net.au,
>>>
>>> Are you able to login using Last Known Good Config, or Safe Mode? If
>>> Last Known Good Config does not work but you are able to get into your
>>> system using Safe Mode, you can use one of these methods..
>>> http://www.petri.co.il/change_recovery_console_password.htm to change
>>> you recovery console/directory restore password.
>>>
>>
>>
>> tried them all, none worked, I just finished reinstalling, I have a day
>> of reconfiguring ahead
>>
>
> Now is a good time to review your backup policy.

we have backups.

but we could not get into machine to restore them. could not even repair as
it would not copy files onto disk.
A staff member changed permissions on cdrive, removed everybody group, I
assume this had something to do with it
 
I have seen many networks which have succesfully removed the Everyone group
from the root without issue, however it was done carefully ensuring that any
services using Anonymous login were accounted for as well as adding the
Authenticated Users group in place of Everyone. FYI - Its not recommended
to do this on an Exchange server as it needs Anonymous login for a number of
processes. I would suggest that before one removes the everyone group from
a server, that some research be done with regards to the functional role of
the server and the possible impact of this change.

Winternals ERP Commander would have been the perfect tool for you (and
should be in everyone's toolkit) unfortunately Microsoft bought them and has
yet to release their own version yet. (I still have my copy though, Yay!
lol) If you can get a copy from someone though i can't even tell you how
much aggrevation it will save you.

http://articles.techrepublic.com.com/5100-1035-6086282.html

http://www.microsoft.com/systemcenter/winternals.mspx


Coraleigh



"ThatsIT.net.au" <me@thatsit> wrote in message
news:92A944A0-CDA9-4DFA-9B73-C423A5830C38@microsoft.com...
>
> "Pegasus (MVP)" <I.can@fly.com> wrote in message
> news:OjKC2yr3HHA.2752@TK2MSFTNGP06.phx.gbl...
>>
>> "ThatsIT.net.au" <me@thatsit> wrote in message
>> news:DB85D963-B47E-4C3A-ADBA-C7D46B1774AE@microsoft.com...
>>>
>>> "Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
>>> news:%23pAtNoe3HHA.5164@TK2MSFTNGP05.phx.gbl...
>>>> Hi ThatsIT.net.au,
>>>>
>>>> Are you able to login using Last Known Good Config, or Safe Mode? If
>>>> Last Known Good Config does not work but you are able to get into your
>>>> system using Safe Mode, you can use one of these methods..
>>>> http://www.petri.co.il/change_recovery_console_password.htm to change
>>>> you recovery console/directory restore password.
>>>>
>>>
>>>
>>> tried them all, none worked, I just finished reinstalling, I have a day
>>> of reconfiguring ahead
>>>
>>
>> Now is a good time to review your backup policy.
>
> we have backups.
>
> but we could not get into machine to restore them. could not even repair
> as it would not copy files onto disk.
> A staff member changed permissions on cdrive, removed everybody group, I
> assume this had something to do with it
 
"ThatsIT.net.au" <me@thatsit> wrote in message
news:92A944A0-CDA9-4DFA-9B73-C423A5830C38@microsoft.com...
>
> "Pegasus (MVP)" <I.can@fly.com> wrote in message
> news:OjKC2yr3HHA.2752@TK2MSFTNGP06.phx.gbl...
>>
>> "ThatsIT.net.au" <me@thatsit> wrote in message
>> news:DB85D963-B47E-4C3A-ADBA-C7D46B1774AE@microsoft.com...
>>>
>>> "Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
>>> news:%23pAtNoe3HHA.5164@TK2MSFTNGP05.phx.gbl...
>>>> Hi ThatsIT.net.au,
>>>>
>>>> Are you able to login using Last Known Good Config, or Safe Mode? If
>>>> Last Known Good Config does not work but you are able to get into your
>>>> system using Safe Mode, you can use one of these methods..
>>>> http://www.petri.co.il/change_recovery_console_password.htm to change
>>>> you recovery console/directory restore password.
>>>>
>>>
>>>
>>> tried them all, none worked, I just finished reinstalling, I have a day
>>> of reconfiguring ahead
>>>
>>
>> Now is a good time to review your backup policy.
>
> we have backups.
>
> but we could not get into machine to restore them. could not even repair
> as it would not copy files onto disk.
> A staff member changed permissions on cdrive, removed everybody group, I
> assume this had something to do with it

A backup facility is only as good as the subsequent restore
process. If you are unable to restore the System State then
I suspect that your backup was never been tested and that
its usefulness is limited. There are several third-party products
that let you restore anything, regardless of the state of your
machine, Acronis being one of them.
 
"Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
news:uINYXDD4HHA.948@TK2MSFTNGP06.phx.gbl...
>I have seen many networks which have succesfully removed the Everyone group
>from the root without issue, however it was done carefully ensuring that
>any services using Anonymous login were accounted for as well as adding the
>Authenticated Users group in place of Everyone. FYI - Its not recommended
>to do this on an Exchange server as it needs Anonymous login for a number
>of processes. I would suggest that before one removes the everyone group
>from a server, that some research be done with regards to the functional
>role of the server and the possible impact of this change.
>

I think what he did was remove everyone from the c drive and replaced it
with users read and administrators full.

any how could not write to disk at all, could not even reinstall leaving
file system in tact



> Winternals ERP Commander would have been the perfect tool for you (and
> should be in everyone's toolkit) unfortunately Microsoft bought them and
> has yet to release their own version yet. (I still have my copy though,
> Yay! lol) If you can get a copy from someone though i can't even tell you
> how much aggrevation it will save you.
>
> http://articles.techrepublic.com.com/5100-1035-6086282.html
>
> http://www.microsoft.com/systemcenter/winternals.mspx
>
>
> Coraleigh
>
>
>
> "ThatsIT.net.au" <me@thatsit> wrote in message
> news:92A944A0-CDA9-4DFA-9B73-C423A5830C38@microsoft.com...
>>
>> "Pegasus (MVP)" <I.can@fly.com> wrote in message
>> news:OjKC2yr3HHA.2752@TK2MSFTNGP06.phx.gbl...
>>>
>>> "ThatsIT.net.au" <me@thatsit> wrote in message
>>> news:DB85D963-B47E-4C3A-ADBA-C7D46B1774AE@microsoft.com...
>>>>
>>>> "Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
>>>> news:%23pAtNoe3HHA.5164@TK2MSFTNGP05.phx.gbl...
>>>>> Hi ThatsIT.net.au,
>>>>>
>>>>> Are you able to login using Last Known Good Config, or Safe Mode? If
>>>>> Last Known Good Config does not work but you are able to get into your
>>>>> system using Safe Mode, you can use one of these methods..
>>>>> http://www.petri.co.il/change_recovery_console_password.htm to change
>>>>> you recovery console/directory restore password.
>>>>>
>>>>
>>>>
>>>> tried them all, none worked, I just finished reinstalling, I have a day
>>>> of reconfiguring ahead
>>>>
>>>
>>> Now is a good time to review your backup policy.
>>
>> we have backups.
>>
>> but we could not get into machine to restore them. could not even repair
>> as it would not copy files onto disk.
>> A staff member changed permissions on cdrive, removed everybody group, I
>> assume this had something to do with it
>
>
 
"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:euSmNeD4HHA.4184@TK2MSFTNGP06.phx.gbl...
>
> "ThatsIT.net.au" <me@thatsit> wrote in message
> news:92A944A0-CDA9-4DFA-9B73-C423A5830C38@microsoft.com...
>>
>> "Pegasus (MVP)" <I.can@fly.com> wrote in message
>> news:OjKC2yr3HHA.2752@TK2MSFTNGP06.phx.gbl...
>>>
>>> "ThatsIT.net.au" <me@thatsit> wrote in message
>>> news:DB85D963-B47E-4C3A-ADBA-C7D46B1774AE@microsoft.com...
>>>>
>>>> "Coraleigh Miller" <CoraleighMiller@yahoo.com> wrote in message
>>>> news:%23pAtNoe3HHA.5164@TK2MSFTNGP05.phx.gbl...
>>>>> Hi ThatsIT.net.au,
>>>>>
>>>>> Are you able to login using Last Known Good Config, or Safe Mode? If
>>>>> Last Known Good Config does not work but you are able to get into your
>>>>> system using Safe Mode, you can use one of these methods..
>>>>> http://www.petri.co.il/change_recovery_console_password.htm to change
>>>>> you recovery console/directory restore password.
>>>>>
>>>>
>>>>
>>>> tried them all, none worked, I just finished reinstalling, I have a day
>>>> of reconfiguring ahead
>>>>
>>>
>>> Now is a good time to review your backup policy.
>>
>> we have backups.
>>
>> but we could not get into machine to restore them. could not even repair
>> as it would not copy files onto disk.
>> A staff member changed permissions on cdrive, removed everybody group, I
>> assume this had something to do with it
>
> A backup facility is only as good as the subsequent restore
> process. If you are unable to restore the System State then
> I suspect that your backup was never been tested and that
> its usefulness is limited.

The system state is fine, all the backs ups are in tact

But we can not log on or copy anything to disk, not in safe mode not in
directory restore mode not in recovery mode.

in recovery mode the console will accept one character then keyboard will
not work

There are several third-party products
> that let you restore anything, regardless of the state of your
> machine, Acronis being one of them.
>
>
>
 
Back
Top