Saturday, December 22, 2018

Troubleshooting With Near Zero Access

 on  with No comments 
In , ,  
Early one morning last week I attempted to RDP into my lab to test something out I was looking into at work. Access to my terminal server was fine, but from there, I was unable to access any other system on my network. Every system that I attempted to RDP into came back stating that my user account was unauthorized for RDP access on that system. The user is a Domain Admin so there should be no reason for that. Not too long after, I noticed that the terminal server was asking for a username and password for everything with is out of character for my user account. And after accounting, I get access denied errors for anything requiring elevated privileges. My first thought was that my network was compromised.

So I used VSphere to access the console of one of my domain controllers and my user account is still a domain admin. Everything seems to be working as expected from the console except for RDP access to any system. Later I would discover that I do not appear to have admin rights on any system but the domain controllers.  Curious.

In short, during the troubleshooting process I discovered a number of errors in my domain, and fixed each of them as I came across them, but it took 2 days to find THE problem I was chasing. The actual problem boiled down to file permissions on the SYSVOL directories on each of the domain controllers. Group policy was unable to process the GPOs. It seemed to be reading them just fine, and then reverting the settings before failing to apply the settings. So what essentially happened was that local groups on each system (Administrators and Remote Desktop Users particularly) did not have any domain users or groups.  The quick fix was to delete all the GPOs and recreate them one by one. The Group Policy Management Console found the error in the Default Domain Policy and fixed it but the rest of the GPOs weren't so lucky.

Once the GPO settings for RDP, Windows Firewall, etc were back in place, everything was back to normal on an otherwise more stable domain after fixing all the other little problems I came across along the way.

One thought that came to me along the way was to just restore the DCs from the most recent backup, however those were dated October 31 so I decided to continue troubleshooting. So how recent are your backups?


Post a Comment

Discuss this post!