| T O P I C R E V I E W |
| JSCLMEDAVE |
Posted - 07/11/2006 : 6:05:36 PM
I was installing Symantec Ghost Console when it asked for a Domain Admin account to have access to the PCs in the Domain. I use a default Domain Admin account for Default Logon to the servers which run all the scheduled task etc etc.
These accounts all had mapping setup on each server so that certain jobs could run etc.
When I selected that account, Symantec said that it was denied access blah blah blah, at which time I gave up on it, and went to lunch.
When I came back, I could not remote into anything with that account. When I looked for it in AD it had been moved to the Default Users folder and was listed as a Domain User account with NO ADMIN RIGHTS!
I tried to re-add the proper settings as well as making the Domain Admin the Primary Group. Then I noticed that instead of the account name listed in the local Administrator of all of the servers, including Exchange, there was a SID listed instaed of the name, the SID did not match the SID on the remaining account...
Now all of my scheduled tasks are failing,,, MAPI quit running on my SQL box, and when I log into a server the mapping settings that were needed are gone! The old local accounts are still there however.
So, I have this laptop with a VMDC on it that was taken offline yesterday after noon. I am thinking about taking the network down and bringing it up on its own. Then making some new user accounts and changing the description of the Needed Domain Admin Account, just enough to have the latest change to it. Then bring one of the DCs back, then if it work the other.
I tried ADrecover, but after it said that it had enumerated the account, it was still not found.
Thoughts???? |
| 13 L A T E S T R E P L I E S (Newest First) |
| JSCLMEDAVE |
Posted - 07/25/2006 : 09:06:28 AM
Good Point!!
I was trying to run this which resulted in an error -
C:\>dsquery user -name ltimb -attr *
dsquery failed:`-attr' is an unknown parameter.
Answer -
"You can't use the -attr switch with dsquery USER. The list of attributes for the dsquery USER command is rather limited. That is why I always use dsquery *."
Pieter |
| JSCLMEDAVE |
Posted - 07/25/2006 : 08:59:16 AM
quote:
Originally posted by Pieter
quote:
So when using ADRestore, the account comes back but it is disabled. So all you have to do is enable it? How can I go about checking its SID prior to deleting it, and again after the restore?
Adrestore only restores a limited set of attributes. All the other attributes (like group membership, okay back link of group attribute but you get the picture) have to be recreated.
You can test it like this :
1. dsquery * -filter name=USERNAME -attr * > before_delete.txt (-> it will show all the attributes (-attr *) of the given USERNAME)
example : dsquery * -filter name="Demeulemeester, Pieter" -attr *
2. delete USERNAME
3. restore object with adrestore
4. dsquery * -filter name=USERNAME -attr * > after_delete.txt
5. compare the output from step 1 and 4.
If you only want to see some attributes it goes like this :
dsquery * -filter name=USERNAME -attr LIST_OF ATTIBUTES
example : dsquery * -filter name="Demeulemeester, Pieter" -attr name samaccountname objectSID
Worked great! Thank You!!
Created a test domain admin account Test Guy.
Added appropriate groups, then ran -
dsquery * -filter name="Test Guy" -attr name samaccountname objectSID > Before_Delete.txt
Which resulted in -
name samaccountname objectSID
Test Guy testguy ?ÿ1-5-21-2123784817-1010186119-313593124-4486
I deleted the account and ran adrestore -
C:\adrestore "Test Guy"
cn: Test Guy
DEL:2e426983-48fb-4833-a3fe-6ed700be41b1
distinguishedName: CN=Test Guy\0ADEL:2e426983-48fb-4833-a3fe-6ed700be41b1,CN=Del
eted Objects,DC=asmb,DC=armedicalboard,DC=org
lastKnownParent: OU=ASMB_Users,DC=asmb,DC=armedicalboard,DC=org
C:\>adrestore -r "Test Guy"
cn: Test Guy
DEL:2e426983-48fb-4833-a3fe-6ed700be41b1
distinguishedName: CN=Test Guy\0ADEL:2e426983-48fb-4833-a3fe-6ed700be41b1,CN=Del
eted Objects,DC=asmb,DC=armedicalboard,DC=org
lastKnownParent: OU=ASMB_Users,DC=asmb,DC=armedicalboard,DC=org
Do you want to restore this object (y/n)? y
Restore succeeded.
Found 1 item matching search criteria.
I then reset the password and re-enabled the account. The Groups had to be re-added, but the SID was the same.
Thanks Again Pieter!!
|
| JSCLMEDAVE |
Posted - 07/14/2006 : 11:56:17 AM
It was my existing Domain Admin account that I use to work on all of the servers... |
| arek73 |
Posted - 07/13/2006 : 03:58:35 AM
I know it's post mortem, but... when you installed Ghost console have you pointed to existing admin account, or you let Symantec create it's own account? I recall messing up my own PC about 2 years ago in similar way. I pointed Symantec Ghost to my existing admin account. When I uninstalled the software, I could no longer login with admin priviledges, as admin account was gone. All I was receiving is the infamous "your account does not have permissions to login interactively".
In any case, except Ghost (with dose of caution of course) I try to stay away from their products. Continuous excuses from their account manager why they can't fix the obvious problems with their software make me sick. I wish I could become CTO of the company just for 15 minutes, to cancel the deal with them.
* edited spelling |
| Pieter |
Posted - 07/13/2006 : 02:46:14 AM
quote:
So when using ADRestore, the account comes back but it is disabled. So all you have to do is enable it? How can I go about checking its SID prior to deleting it, and again after the restore?
Adrestore only restores a limited set of attributes. All the other attributes (like group membership, okay back link of group attribute but you get the picture) have to be recreated.
You can test it like this :
1. dsquery * -filter name=USERNAME -attr * > before_delete.txt (-> it will show all the attributes (-attr *) of the given USERNAME)
example : dsquery * -filter name="Demeulemeester, Pieter" -attr *
2. delete USERNAME
3. restore object with adrestore
4. dsquery * -filter name=USERNAME -attr * > after_delete.txt
5. compare the output from step 1 and 4.
If you only want to see some attributes it goes like this :
dsquery * -filter name=USERNAME -attr LIST_OF ATTIBUTES
example : dsquery * -filter name="Demeulemeester, Pieter" -attr name samaccountname objectSID
|
| clarinathan |
Posted - 07/12/2006 : 3:20:25 PM
Well done Tim,
Glad you got it back up..... and saw the light regards Symantec! |
| JSCLMEDAVE |
Posted - 07/12/2006 : 1:43:06 PM
This is the window that deleted, or changed, my Admin Account. I now have the network back up and running, everything fixed.
I changed the info in this screen shot BTW.
I demo'ed ADRestore for my boss, using a dummy Admin account, where I deleted it, then tried to restore it. This time it worked, which leads me to believe that it was not actually deleted at all, but had its name changed.
So when using ADRestore, the account comes back but it is disabled. So all you have to do is enable it? How can I go about checking its SID prior to deleting it, and again after the restore?
I am extremely upset that this product would make ANY changes to the AD... It could of at least promoted me with a warning that the account existed if a new one was needed or something...
We have rid ourselves of all Symantec products, they will never be used here again... |
| JSCLMEDAVE |
Posted - 07/12/2006 : 09:00:04 AM
That only brought up the Administrator account. Not any of the Domain Admin accounts.
The mapping of the drives appeared to have worked, however several in house apps, written in VB6 of which we do not have loaded anywhere, are not running correctly and I have no idea why. I changed the tasks to run under another existing Admin Account but no luck. The VB6 app is supposed to create XML files and I am getting Snap Shot errors instead.
I still have the VMDC image from 12:30 pm on the 10th which I restored back to the laptop. Is there something that I can change on the still existing Admin account there, that will make it replicate to the other DCs? |
| Pieter |
Posted - 07/12/2006 : 08:38:47 AM
Could it be that your Administrator isn't gone but just renamed ?
Use the following to show all users who have "-500" in their SID number.
C:\>dsquery * -attr name objectSID -limit 0 | find "-500"
|
| JSCLMEDAVE |
Posted - 07/12/2006 : 08:24:46 AM
Pieter
I used ADrestore r- ACCOUNTNAME and selected "Y" It said it was enumerated but I could not find it anywhere in AD, even with a search. What am I missing here?
I do not have a current system state backup which I thought you had to have for ntds which is why I didn't bother to mention.
When I brought the laptop up, with out any other DC in the network, I made two new admin accounts and made several changes to the Admin account, which still existed in the laptop VMDC, from description to phone numbers etc etc. When I brought the other DCs back on line the new Admin accounts were replicated but the Admin account that I needed was deleted off of the laptop VMDC. I thought that since I made the latest changes there, that it would replicate down instead of getting deleted.
I am headed back to work now. Last night I realized that if I created a new account with the same credential and name from before, logged into the server, then logged out and back in with another Admin account and copied the original profile to the most recent one that was created I was able to regain the mapping of drives on each server.
I know this is not the best method for this type of incident, but I never have done anything this idiotic before.
I will however start resting with a dummy Admin account so that I know what to do in the future in the event that an Admin account, or user account, accidentally gets deleted.
I loath Symantec... I mean if you attempt to change the properties of the name in AD it will prompt you that you will have to reboot etc etc... With Symantec NO WARNING what so ever... Had I known it was a gun I would have assumed it was loaded... |
| clarinathan |
Posted - 07/12/2006 : 04:44:23 AM
I think Pieter has the correct idea. Looks like you will need to restore that account.
Cheers
Nathan
PS Stay away from symantec! |
| Pieter |
Posted - 07/12/2006 : 02:08:56 AM
Maybe a authoritative restore (restore ntds.dit + ntdsutil.exe) of that user can help. Or use adrestore.exe (Sysinternals) which restores the object with only a few attributes, but the SID is one of them. You have to manually add the user to the Domain Admins group. |
| JSCLMEDAVE |
Posted - 07/11/2006 : 6:06:51 PM
Note*** There has not been any changes to accounts, users or PC, since last week. Just what happened today... |
|
|
