URGENT group policy changes have my system unmanageable

Posted on 2006-05-03
Last Modified: 2008-02-20
Please Help, im getting desperate!

I made some group policy changes last night to the server (win2003 SBS) and accidentaly denied the administrator account access to any administrative functions, including the gpedit.msc function. Now I cant access Active Directory or anything.

I restored systemstate from the day before, but still have the same group policy in effect for some reason.

This is effecting the entire office and im at a loss for what to do next. Please Help!

Thanks a lot,

Question by:jkowan11
    LVL 8

    Expert Comment

    What policy setting did you apply and where did you apply it to? If you have any other accounts in the domain admins group they might work still.

    Author Comment

    Thanks for the response

    Actualy the server is brand new so the only administrator account is the actual administrator account I used to edit group policies from the gpedit.msc function- I thought I was editing policies just for user accounts, not for administrator or the server, but apparently I was wrong. Now I cant get back into anything. as I setup a pretty tight security policy.

    Any idea why the system state restore didnt fix that?

    LVL 8

    Expert Comment

    What is happening when you launch AD users and computers?  Can you add a user account from the command prompt?  If you use AD users and computers from a Workstation can you access AD?

    Author Comment

    When I launch it from the server I get told that snapin is restricted due to policy settings. Ask your administrator.

    I can get into gpedit.msc on client machines.

    How do I add a user from command prompt? and how do I get AD from workstations?

    Thanks a lot!
    LVL 5

    Assisted Solution

    If you install the Windows 2003 administrators pack you can access most of the Admin functions from a workstation.

    You use group policy to edit permissions on workstations not gpedit.msc. GPedit.msc is only for local permissions.

    Have a read of this might help not sure though looks more like xp

    Good Luck

    LVL 8

    Accepted Solution

    Install the Administration tools from the Windows Server CD.  This is not the recommended way to manage an SBS2003 server.  However in this instance it may let you reverse the policies, depending on how access is denied.

    provides details on adding a user from the command prompt.  However depending on where the policy is applied a new user may not get around this.

    Can you let us know what errors are appearing, and which policy/settings you edited?
    LVL 74

    Assisted Solution

    by:Jeffrey Kane - TechSoEasy
    The reason that system state restore doesn't fix that is because the Group Policies are not stored in the System State... they are files which are stored in the Windows File structure.  And there's a bit of bad news to go along with that... they can't be restored from NT Backup because they are in the SYSVOL.

    So... have you note created any other users yet?  And can you not create any additional users due to this problem?

    If you can't create any other users, you probably won't be able to fix this without either reinstalling or creating a new Administrative user with a PreWindows Boot CD.  I've done this before with UBCD4WIN and it works quite well.  

    Go to and follow the instructions to create a BOOT CD.  Then you can run PasswordRestore to create a new Admin user.

    To be honest, this will take just about as long as reinstalling from scratch... and could leave you with small permissions issues that would trouble you later on.  Personally, i'd reinstall.


    Author Comment

    Thanks a lot for the help guys!

    It appears im pretty much screwed.

    I tried adding a "test" user from the cmd prompt and got this error:

    C:\Documents and Settings\Administrator>dsadd user "CN=Test,CN=Administrators,CN
    =Domain Admins"
    dsadd failed:CN=Test,CN=Administrators,CN=Domain Admins:No superior reference ha
    s been configured for the directory service. The directory service is therefore
    unable to issue referrals to objects outside this forest.
    type dsadd /? for help.
    C:\Documents and Settings\Administrator>

    I was hoping not to have to go onsite since its a three hour drive, but I guess im out of options unless anyone knows why I cant use the cmd prompt to do this? If I could add an administrator account from the cmd prompt, or enable an account I know is administrator but is disabled I could save 50 bucks in gas and a waste of a beautiful day or two...

    Thanks a lot guys!
    LVL 8

    Expert Comment

    The syntax should be like this

    dsadd user "CN=Test,CN=Users,DC=DomainName,DC=com"

    Where the Active Directory domain name is

    The issue with adding another user into the Users OU is that the user will then most likely have the group policy applied to them.

    Author Comment

    Ah I see, so how would I add a user to the Administrators group? Is that possible?

    Author Comment

    Update: I managed to enable another administrator account that had been disabled previously, however, its still got the same messed up group policy as the original administrator account. Looks like im making the drive =(

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now