Accidentally set user policies to prevent me from making changes to computer, how can I revert

I was being an idiot and playing around with the user policies under MMC, I just learned how to use it and was experimenting. I though the policies would only apply to my other accounts that do not have administrator access, but apparently it applied to my account (administrator). It's pretty funny because I disabled run, my computer, control panel I have no way of changing it that I know of. Any ideas?
Who is Participating?
imitchieConnect With a Mentor Commented:
i take it your account is "administrator" level but not named "administrator"? have you tried creating a shortcut to
   1. secpol.msc. execute
   2. In the left list, choose "Local Policies", then "Security Options"
   3. Set "Accounts: Administrator account status" to Enabled.
   4. Set "User Account Control: Admin Approval Mode for the Built-in Administrator account" to Disabled.

do you know the password?
log in to the server as administrator and domain as the computer name
and make changes from there
Is this in a workgroup environment (no Active Directory)? If yes then you don't have the possibility to override from group policies on a server to member machines.
If so: post back and I'll have a look at other possibilities.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

ardracConnect With a Mentor Commented:
Im presuming we are looking at a single pc here, no domain, no server.

Basically local gropup polices will effect all users on the machine. The trick to getting local policies to not apply when an administrator logs in is to give the adminsrator group deny read permissions to the file c:\windows\system32\grouppolicy\gpt.ini. So when a normal user logs in they can read this file, then polices get applied. But when an admin user logs in they can not read this file so permissions do not apply.

So basically you just need to browse to that file and set deny read access for Admins, if you can not browse to the file (because the local policy is preventing you from accessing the file system) then try doing so using safe mode. You could always use a resore point and roll back to before you created your policy if you can not find another way.

PS I have not tried any of the above on Vista but its how to do it under XP and should be similar if not the same under Vista.
ManzolaAuthor Commented:
To follow up on a few things- this is a workgroup environment, no active directory. Imitchie, you are correct, it is the default account windows creates as administrator upon installation. I know with xp you have another administrator account by default as well that you can crtl atl dlt during log on to access, but Vista does not seem to respond in the same manner.  Ardrac, I will certainly try this once I can actually access it, I disabled pretty much everything that allows configuration to the pc (i know i know, foolish but I thought it would not apply to admin!.).  Thanks for your help so far guys, I will get back to you on what happens. If I can't figure out it will leave me with no option but to re-install.
As you are in a workgroup you should be able to do the following;

From another machine in teh same workgroup
Connect to the C$ share on the machine you have locked down i.e \\Machinename\C$\Windows\
Browse to gtp.ini and change the permissions.

Because you are only connecting to the remote file system you shoudl not be impacted by the local policies you have set.

ps - I have managed to do the similar things myself before with local policies. You can definaltly remove them without a rebuild. Other options include using a WindowsPE CD/ERD Commander to boot the problem machine and check permissions or even delete the gpt.ini file.
PowerITConnect With a Mentor Commented:
Actually, the local group policy system is different then XP. E.g. it now allows for seperate administrator, built-in administrator and non-administrator policies.
But the gpt.ini trick could do it, because gpt.ini still exist.
If it doesn't, get back here and I'll see if I can cook another solution.

ManzolaAuthor Commented:
Thanks guys, I will be back in 2 hours to report back on what happens.
ManzolaAuthor Commented:
Ok here is the problem, the computer will not let me log on remotely, and I was able to create a shortcut on the deskptop for secpol and enabled the admin account. But the admin account is also restricted! I can't access the command prompt either.  I would like to try and delete GPT.ini but I cannot access it directly. Any ideas?
ManzolaAuthor Commented:
AHA! I have figured it out! I was able to make a shortcut to the group policy management consule under C:\WINDOWS\system32\ and I was able to change all the variables! Thanks guys really appreciate your help as always. If it were possible I would give 1000 points to all of you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.