Solved

Accidentally set user policies to prevent me from making changes to computer, how can I revert

Posted on 2007-11-14
10
557 Views
Last Modified: 2013-12-04
I was being an idiot and playing around with the user policies under MMC, I just learned how to use it and was experimenting. I though the policies would only apply to my other accounts that do not have administrator access, but apparently it applied to my account (administrator). It's pretty funny because I disabled run, my computer, control panel etc...so I have no way of changing it that I know of. Any ideas?
0
Comment
Question by:Manzola
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 4

Expert Comment

by:pstrawser
Comment Utility
log in to the server as administrator and domain as the computer name
and make changes from there
0
 
LVL 18

Expert Comment

by:PowerIT
Comment Utility
Is this in a workgroup environment (no Active Directory)? If yes then you don't have the possibility to override from group policies on a server to member machines.
If so: post back and I'll have a look at other possibilities.

J.
0
 
LVL 25

Accepted Solution

by:
imitchie earned 200 total points
Comment Utility
i take it your account is "administrator" level but not named "administrator"? have you tried creating a shortcut to
   1. secpol.msc. execute
   2. In the left list, choose "Local Policies", then "Security Options"
   3. Set "Accounts: Administrator account status" to Enabled.
   4. Set "User Account Control: Admin Approval Mode for the Built-in Administrator account" to Disabled.

do you know the password?
0
 
LVL 5

Assisted Solution

by:ardrac
ardrac earned 200 total points
Comment Utility
Im presuming we are looking at a single pc here, no domain, no server.

Basically local gropup polices will effect all users on the machine. The trick to getting local policies to not apply when an administrator logs in is to give the adminsrator group deny read permissions to the file c:\windows\system32\grouppolicy\gpt.ini. So when a normal user logs in they can read this file, then polices get applied. But when an admin user logs in they can not read this file so permissions do not apply.

So basically you just need to browse to that file and set deny read access for Admins, if you can not browse to the file (because the local policy is preventing you from accessing the file system) then try doing so using safe mode. You could always use a resore point and roll back to before you created your policy if you can not find another way.

PS I have not tried any of the above on Vista but its how to do it under XP and should be similar if not the same under Vista.
0
 

Author Comment

by:Manzola
Comment Utility
To follow up on a few things- this is a workgroup environment, no active directory. Imitchie, you are correct, it is the default account windows creates as administrator upon installation. I know with xp you have another administrator account by default as well that you can crtl atl dlt during log on to access, but Vista does not seem to respond in the same manner.  Ardrac, I will certainly try this once I can actually access it, I disabled pretty much everything that allows configuration to the pc (i know i know, foolish but I thought it would not apply to admin!.).  Thanks for your help so far guys, I will get back to you on what happens. If I can't figure out it will leave me with no option but to re-install.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 5

Expert Comment

by:ardrac
Comment Utility
As you are in a workgroup you should be able to do the following;

From another machine in teh same workgroup
Connect to the C$ share on the machine you have locked down i.e \\Machinename\C$\Windows\
Browse to gtp.ini and change the permissions.

Because you are only connecting to the remote file system you shoudl not be impacted by the local policies you have set.

ps - I have managed to do the similar things myself before with local policies. You can definaltly remove them without a rebuild. Other options include using a WindowsPE CD/ERD Commander to boot the problem machine and check permissions or even delete the gpt.ini file.
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 100 total points
Comment Utility
Actually, the local group policy system is different then XP. E.g. it now allows for seperate administrator, built-in administrator and non-administrator policies.
But the gpt.ini trick could do it, because gpt.ini still exist.
If it doesn't, get back here and I'll see if I can cook another solution.

J.
0
 

Author Comment

by:Manzola
Comment Utility
Thanks guys, I will be back in 2 hours to report back on what happens.
0
 

Author Comment

by:Manzola
Comment Utility
Ok here is the problem, the computer will not let me log on remotely, and I was able to create a shortcut on the deskptop for secpol and enabled the admin account. But the admin account is also restricted! I can't access the command prompt either.  I would like to try and delete GPT.ini but I cannot access it directly. Any ideas?
0
 

Author Comment

by:Manzola
Comment Utility
AHA! I have figured it out! I was able to make a shortcut to the group policy management consule under C:\WINDOWS\system32\ and I was able to change all the variables! Thanks guys really appreciate your help as always. If it were possible I would give 1000 points to all of you.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now