General discussion


Domain Admin Locked Out of AD

By Your Mom 2.0 ·
Something really goofy happened, and I can't pinpoint exactly what it was.

Last week I was tightening security on my AD domain. Today I try to access "Active Directory Users and Computers" and I received an error saying the snapin has been disabled by Group Policy. It looks like I changed a GPO that caused the domain admin account to be locked out of Active Directory.

Does anyone know how I can fix this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by lowlands In reply to Domain Admin Locked Out o ...

Try to run a tool like gpresult, or rsop.msc and find what GPO's are being applied for this user. That might make it easier to narrow it down.
You might be able to make changes to the GPO.

If not, you might have to use secedit to change one of the following .inf files;

Collapse -

by Your Mom 2.0 In reply to Domain Admin Locked Out o ...

I found a way to do what needed to be done:

Quoting the page linked to above:

>If the scheduler service is running on your PC (or if you can start it) you can submit the registry editor to start via the scheduler and it will then be started under the system context. For example

C> at <1 minute in the future> /interactive regedt32.exe

One minute from submission regedt32.exe will be started giving you full access to the registry. >Cool!

It seemed to me if it worked for regedt32.exe it would also work for Active Directory as long as I specified the correct file name:

C>at 11:55 /interactive dsa.msc

It worked! Now I can edit GPOs and hopefully fix the underlying issues that caused the problems in the first place.

It was almost worth having the problem as I learned something really useful in the process of solving it.

Collapse -

by Your Mom 2.0 In reply to Domain Admin Locked Out o ...

This question was closed by the author

Related Discussions

Related Forums