[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 164
  • Last Modified:

Admin cannot access resources because admin stupidly set group policy

I needed to make a machine a kiosk. So I set the group policy that says "Run only allowed windows applications." Now I cannot access anything to turn that off, even when logged in as administrator. How to fix?
0
DrDamnit
Asked:
DrDamnit
  • 7
  • 6
  • 4
  • +3
1 Solution
 
adonis1976Commented:
if u are able to bring up the command line, type in

gpedit.msc

that will enable u to edit the GPO..
0
 
adonis1976Commented:
to get to ur GPO, you should be able to find the name by pulling down the menu and selecting the name u gave to the group policy..
0
 
DrDamnitAuthor Commented:
Can't bring up command line. That is restricted as well.
0
Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

 
compcrazyCommented:
0
 
adonis1976Commented:
can u do a cntrl+alt+delete and bring up "new task" and type in gpedit.msc?
0
 
adonis1976Commented:
i mean go to task manager and go to file--> new task..
0
 
Nirmal SharmaSolution ArchitectCommented:
First of all where you apply Group Policy...at domain level or you have configured a non-local gpo using gpedit.msc?

Let us know.
0
 
DrDamnitAuthor Commented:
In gpedit.msc:

User Configuration > Administrative Templates > System > Run only allowed windows applications.

Added iexplore.exe

0
 
Nirmal SharmaSolution ArchitectCommented:
>>>Added iexplore.exe

You have added iexplorer.exe or explorer.exe ? Let me know. and one more thing you can do.

If screen comes upto Alt+Ctrl+del then follow the steps:  -

1. Press Alt+Ctrl+Del to bring Task Manager.
2. Type regedit.exe in New Task.
3. Navigate to the following location: -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
in Right Pane find the key named "Shell=explorer.exe" change it to "Shell=cmd.exe" and then reboot your computer.

Let me know upto here. I will continue after your post........

Thanks
SystmProg
0
 
ckratschCommented:
Can you connect another machine to the network?  If so, from that machine, you can do Start > Run > MMC, File > Add/Remove Snapin, Add, Group Policy Object Editor.  Browse for the policy object you need to modify and reverse your changes there.

If the computer you add to the network is XP or 2003, you can use the Group Policy Management Console.
http://www.petri.co.il/download_gpmc.htm

If it's a domain GPO (not a local GPO), you can go to its properties and modify security such that Administrator (or other accounts) have Apply Group Policy > Deny permissions.  That way, the selected accounts will not apply that policy, while others will.

However, considering that this is a kiosk, you may want to have *all* accounts continue to apply that policy.  That way, if someone gets smart and manages to log in as Administrator when they shouldn't, they'll still be locked out of many things.  In this scenario, you would do all of your administration of that station from another machine.
0
 
Nirmal SharmaSolution ArchitectCommented:
That's great.
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
Is the policy still applied, even if you login as a Domain Administrator?
0
 
ckratschCommented:
SystmProg - elucidate?  What's great?
0
 
DrDamnitAuthor Commented:
SystmProg:

1. Added iexplore.exe.
2. The policy is applied, even when I am logged in as administrator.
3. This computer is not setup as a domain.
4. Cannot access regedit.

ckratsch:
Unsuccessful. I cannot connect from another computer. Access is denied.
0
 
Nirmal SharmaSolution ArchitectCommented:
>>>SystmProg - elucidate?  What's great?

Was for your comment...connecting from another computer but it says "Access is Deniend" So That's bad. :-).

>>>2. The policy is applied, even when I am logged in as administrator.

There are many ways to rectify this problem. You need to replace the Group Policy folder located in \Winnt\System32\GroupPolicy folder because the security settings are set in SAM database and there is no way to set it back in this database. This database (SAM) is protected from ordinary user and even administrator. If you can replace this folder then you are the winner. To replace this folder you can boot from a Windows 98 disk and then running NTFSDOS utility from Sysinternals. The link for this software is given below. After replacing this folder boot your computer. This should work.

So before you boot from Windows 98 disk and run NTFSDOS you have one more option. As far i know and i have not tested it yet. The Local-Group Policy settings are not applied in Safe Mode or Safe Mode with Networking. Try it and let me know. If not success then use NTFSDOS or BartPE.

NTFSODS
http://www.sysinternals.com/ntw2k/freeware/ntfsdospro.shtml

BartPE
http://www.nu2.nu/pebuilder/

Thanks
SystmProg
0
 
ckratschCommented:
If you're going to go so far as offline registry editing, try this:
http://home.eunet.no/~pnordahl/ntpasswd/

Commonly used to reset local administrator password on Windows machines, also can do offline registry editing.  I haven't used it for that purpose myself, but I have used it for the password reset function.
0
 
compcrazyCommented:
Hi,

had sent you this link in my previous comment http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/20206/20206.html

did you try the options defined there.. r u getiing stuck somewhere?

regards,
0
 
DrDamnitAuthor Commented:
SystmProg:

I have a Ghost image of this drive that has the correct group policy settings, which I made using Ghost from Bart PE. So, theorhetically, I can just boot up with Bart PE, and replace the Group Policy folder on the drive with the one from the image, and everything will be OK?
0
 
Nirmal SharmaSolution ArchitectCommented:
Yes.
0
 
DrDamnitAuthor Commented:
OK, I'll try that. I won't have access to the machine until Friday, however, so I'll keep you posted.
0
 
DrDamnitAuthor Commented:
Used BartPE to replace the GroupPolicy folder from a backup image. Excellent advice!
0
 
Nirmal SharmaSolution ArchitectCommented:
Thanks!
0
 
DrDamnitAuthor Commented:
No, thanks to you! You made me "the winner!"
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 7
  • 6
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now