Re: Domain Controller Security Policy

From: Roger Abell (
Date: 08/13/05

  • Next message: Roger Abell: "Re: Granting access based on user location"
    Date: Sat, 13 Aug 2005 07:07:20 -0700

    As she has the ADRM password, if she also has backup to
    use that is fresh enough, then your best route may be to restore
    the GPO(s) on the DC OU to point before she did the rename.
    Otherwise, I am not sure, but doubtful, whether you could in
    ADRM get at just that policy or its value (the @dm name), or
    the enable/disable attribute of the GPO link to the OU, etc..

    Roger Abell
    Microsoft MVP (Windows  Security)
    MCSE (W2k3,W2k,Nt4)  MCDBA
    "Eric Eickhoff" <eric_at_sigma@nospam.nospam> wrote in message
    > Greetings,
    > I am stumped as to whether or not this can be resolved, but a client set
    > Rename Administrator Account setting in the Domain Controller Security
    > Policy to a name containing the '@' character.  Of course now, she can't
    > on to the domain with that account and as luck would have it -- she
    > have any other accounts with domain admin privelages and this is the only
    > domain controller.  It is a W2K3 DC.  Does anyone know if the DC Security
    > Policy can be reset -- at least the Rename Admininstrator Account setting
    > know -- this sounds fishy from a security standpoint and truly don't
    > an answer on that one) or is there a way to log on to the system using the
    > account name with '@' signs in it.  I had her try entering
    > DOMAIN\@ministrator in the username with no luck. I am assumming that it
    > looking at the information after the '@' sign as being the domain info and
    > that is why it is failing.  She does have the password for the Active
    > Directory Restore Mode if it helps.
    > Anyone have any insight?

  • Next message: Roger Abell: "Re: Granting access based on user location"