Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Accidentally set user policies to prevent me from making changes to computer, how can I revert

Posted on 2007-11-14
10
Medium Priority
?
567 Views
Last Modified: 2013-12-04
I was being an idiot and playing around with the user policies under MMC, I just learned how to use it and was experimenting. I though the policies would only apply to my other accounts that do not have administrator access, but apparently it applied to my account (administrator). It's pretty funny because I disabled run, my computer, control panel etc...so I have no way of changing it that I know of. Any ideas?
0
Comment
Question by:Manzola
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 4

Expert Comment

by:pstrawser
ID: 20286144
log in to the server as administrator and domain as the computer name
and make changes from there
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 20287573
Is this in a workgroup environment (no Active Directory)? If yes then you don't have the possibility to override from group policies on a server to member machines.
If so: post back and I'll have a look at other possibilities.

J.
0
 
LVL 25

Accepted Solution

by:
imitchie earned 800 total points
ID: 20288126
i take it your account is "administrator" level but not named "administrator"? have you tried creating a shortcut to
   1. secpol.msc. execute
   2. In the left list, choose "Local Policies", then "Security Options"
   3. Set "Accounts: Administrator account status" to Enabled.
   4. Set "User Account Control: Admin Approval Mode for the Built-in Administrator account" to Disabled.

do you know the password?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 5

Assisted Solution

by:ardrac
ardrac earned 800 total points
ID: 20288903
Im presuming we are looking at a single pc here, no domain, no server.

Basically local gropup polices will effect all users on the machine. The trick to getting local policies to not apply when an administrator logs in is to give the adminsrator group deny read permissions to the file c:\windows\system32\grouppolicy\gpt.ini. So when a normal user logs in they can read this file, then polices get applied. But when an admin user logs in they can not read this file so permissions do not apply.

So basically you just need to browse to that file and set deny read access for Admins, if you can not browse to the file (because the local policy is preventing you from accessing the file system) then try doing so using safe mode. You could always use a resore point and roll back to before you created your policy if you can not find another way.

PS I have not tried any of the above on Vista but its how to do it under XP and should be similar if not the same under Vista.
0
 

Author Comment

by:Manzola
ID: 20289061
To follow up on a few things- this is a workgroup environment, no active directory. Imitchie, you are correct, it is the default account windows creates as administrator upon installation. I know with xp you have another administrator account by default as well that you can crtl atl dlt during log on to access, but Vista does not seem to respond in the same manner.  Ardrac, I will certainly try this once I can actually access it, I disabled pretty much everything that allows configuration to the pc (i know i know, foolish but I thought it would not apply to admin!.).  Thanks for your help so far guys, I will get back to you on what happens. If I can't figure out it will leave me with no option but to re-install.
0
 
LVL 5

Expert Comment

by:ardrac
ID: 20289727
As you are in a workgroup you should be able to do the following;

From another machine in teh same workgroup
Connect to the C$ share on the machine you have locked down i.e \\Machinename\C$\Windows\
Browse to gtp.ini and change the permissions.

Because you are only connecting to the remote file system you shoudl not be impacted by the local policies you have set.

ps - I have managed to do the similar things myself before with local policies. You can definaltly remove them without a rebuild. Other options include using a WindowsPE CD/ERD Commander to boot the problem machine and check permissions or even delete the gpt.ini file.
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 400 total points
ID: 20289896
Actually, the local group policy system is different then XP. E.g. it now allows for seperate administrator, built-in administrator and non-administrator policies.
But the gpt.ini trick could do it, because gpt.ini still exist.
If it doesn't, get back here and I'll see if I can cook another solution.

J.
0
 

Author Comment

by:Manzola
ID: 20290167
Thanks guys, I will be back in 2 hours to report back on what happens.
0
 

Author Comment

by:Manzola
ID: 20291536
Ok here is the problem, the computer will not let me log on remotely, and I was able to create a shortcut on the deskptop for secpol and enabled the admin account. But the admin account is also restricted! I can't access the command prompt either.  I would like to try and delete GPT.ini but I cannot access it directly. Any ideas?
0
 

Author Comment

by:Manzola
ID: 20291604
AHA! I have figured it out! I was able to make a shortcut to the group policy management consule under C:\WINDOWS\system32\ and I was able to change all the variables! Thanks guys really appreciate your help as always. If it were possible I would give 1000 points to all of you.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question