?
Solved

Windows Server 2000 Group Policy Lockout

Posted on 2004-10-15
5
Medium Priority
?
138 Views
Last Modified: 2013-12-04
I'm basically an idiot and was working on locking down a library's public computers this morning through group policy.

I was in a rush and was adding user groups to roll out the group policy and mistakingly applied the group policy to administrators.  Now, I'm sure you can assume what happened next. (I can't undo what I did on the server because I am locked out of any programs but the ones specified in the group policy)

Any help would be MUCH appreciated. It would be helpful if I had an answer other than reinstall, unless that is in fact the only way.
0
Comment
Question by:Fluid_Imagery
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12323349
Hi
Depends to what degree you've locked yourself out really - could you give more information on which policies?. Some options are
Install adminpak from 2000 server disk on client pc, login with admin account and try use aduc snap-in, or try connect to the server's registry remotely from another client. Read these, be clear, and be careful with the registry though!
Windows 2000 Microsoft Management Console and Snap-in Restrictions
http://support.microsoft.com/kb/q271135/
Administrator May Be Unable to Edit Group Policy in Windows 2000 Domain
http://support.microsoft.com/kb/q263166/

Deb :))
0
 

Author Comment

by:Fluid_Imagery
ID: 12324132
Well...  They're locked down enough that I would not be able to run regedit :(   Basically every possible user intervention has been blocked. No access to drives, can't install from optical drive, can only run specified programs (IE, Word, Excel, Powerpoint, Publisher)  I can get into specifics if you'd like but I think you get the idea.

I do however have ERD system commander so I could boot into a pseudo windows with that to access registry editor. I wouldn't think I'd have any restrictions there...

Thanks for the help, much appreciated
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12324167
Oh man - Admin total lockdown (Almost) ! I have nightmares about that kind of thing.  My thoughts will be with you and I hope I've helped - good luck with ERD,

Deb :))
0
 

Author Comment

by:Fluid_Imagery
ID: 12324192
LOL... thanks, do you think the stuff you gave me will do it?
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 2000 total points
ID: 12324301
IF you can get into the registry it's your best shot I think. Group policy affects mostly registry based settings, if you can turn them off you should be able to get in. Other than that you're maybe looking at trying an Authoritative Restore of AD from the links below, but you'll need a good backup. Depends on how many DC's etc you have as to what problems you may face.  Have a good google for it, as there are many things to take into account depending on your environment.If you ARE faced with this, it's still better than a total rebuild (shudders at the thought - sorry it's not funny I know, just trying to lighten you up - but it won't kill you, the sun will still shine (unless you live in England where the rain will still rain), birds will sing and users invariably get over it -truly!).

How to perform an authoritative restore to a domain controller in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;241594&sd=tech
7643 » After performing an authoritative restore of Active Directory, some attributes come back?
http://www.jsiinc.com/SUBP/tip7600/rh7643.htm
4409 » An authoritative restore of groups can result in inconsistent membership information across domain controllers?
http://www.jsiinc.com/SUBI/tip4400/rh4409.htm
Securing Windows 2000 Active Directory (Part 4) - Restoration
http://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_4__Restoration.html

Good luck,

Deb :))
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Course of the Month10 days, 10 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question