Accidentally set user policies to prevent me from making changes to computer, how can I revert

Posted on 2007-11-14
Last Modified: 2013-12-04
I was being an idiot and playing around with the user policies under MMC, I just learned how to use it and was experimenting. I though the policies would only apply to my other accounts that do not have administrator access, but apparently it applied to my account (administrator). It's pretty funny because I disabled run, my computer, control panel I have no way of changing it that I know of. Any ideas?
Question by:Manzola
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2

Expert Comment

ID: 20286144
log in to the server as administrator and domain as the computer name
and make changes from there
LVL 18

Expert Comment

ID: 20287573
Is this in a workgroup environment (no Active Directory)? If yes then you don't have the possibility to override from group policies on a server to member machines.
If so: post back and I'll have a look at other possibilities.

LVL 25

Accepted Solution

imitchie earned 200 total points
ID: 20288126
i take it your account is "administrator" level but not named "administrator"? have you tried creating a shortcut to
   1. secpol.msc. execute
   2. In the left list, choose "Local Policies", then "Security Options"
   3. Set "Accounts: Administrator account status" to Enabled.
   4. Set "User Account Control: Admin Approval Mode for the Built-in Administrator account" to Disabled.

do you know the password?
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.


Assisted Solution

ardrac earned 200 total points
ID: 20288903
Im presuming we are looking at a single pc here, no domain, no server.

Basically local gropup polices will effect all users on the machine. The trick to getting local policies to not apply when an administrator logs in is to give the adminsrator group deny read permissions to the file c:\windows\system32\grouppolicy\gpt.ini. So when a normal user logs in they can read this file, then polices get applied. But when an admin user logs in they can not read this file so permissions do not apply.

So basically you just need to browse to that file and set deny read access for Admins, if you can not browse to the file (because the local policy is preventing you from accessing the file system) then try doing so using safe mode. You could always use a resore point and roll back to before you created your policy if you can not find another way.

PS I have not tried any of the above on Vista but its how to do it under XP and should be similar if not the same under Vista.

Author Comment

ID: 20289061
To follow up on a few things- this is a workgroup environment, no active directory. Imitchie, you are correct, it is the default account windows creates as administrator upon installation. I know with xp you have another administrator account by default as well that you can crtl atl dlt during log on to access, but Vista does not seem to respond in the same manner.  Ardrac, I will certainly try this once I can actually access it, I disabled pretty much everything that allows configuration to the pc (i know i know, foolish but I thought it would not apply to admin!.).  Thanks for your help so far guys, I will get back to you on what happens. If I can't figure out it will leave me with no option but to re-install.

Expert Comment

ID: 20289727
As you are in a workgroup you should be able to do the following;

From another machine in teh same workgroup
Connect to the C$ share on the machine you have locked down i.e \\Machinename\C$\Windows\
Browse to gtp.ini and change the permissions.

Because you are only connecting to the remote file system you shoudl not be impacted by the local policies you have set.

ps - I have managed to do the similar things myself before with local policies. You can definaltly remove them without a rebuild. Other options include using a WindowsPE CD/ERD Commander to boot the problem machine and check permissions or even delete the gpt.ini file.
LVL 18

Assisted Solution

PowerIT earned 100 total points
ID: 20289896
Actually, the local group policy system is different then XP. E.g. it now allows for seperate administrator, built-in administrator and non-administrator policies.
But the gpt.ini trick could do it, because gpt.ini still exist.
If it doesn't, get back here and I'll see if I can cook another solution.


Author Comment

ID: 20290167
Thanks guys, I will be back in 2 hours to report back on what happens.

Author Comment

ID: 20291536
Ok here is the problem, the computer will not let me log on remotely, and I was able to create a shortcut on the deskptop for secpol and enabled the admin account. But the admin account is also restricted! I can't access the command prompt either.  I would like to try and delete GPT.ini but I cannot access it directly. Any ideas?

Author Comment

ID: 20291604
AHA! I have figured it out! I was able to make a shortcut to the group policy management consule under C:\WINDOWS\system32\ and I was able to change all the variables! Thanks guys really appreciate your help as always. If it were possible I would give 1000 points to all of you.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
security group 2 40
Documents do not open in Protected View. 5 76
Mode / vector of infections and attacks 3 42
how to know if a router is connected to a certain port 9 49
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question