Solved

need to rollback group policy for a domain controller

Posted on 2009-04-04
6
1,336 Views
Last Modified: 2012-05-06
we have four domain controllers and we have applied a group policy to the domain controllers OU in which we have specified to change the permissions of the c:\windows\tasks folder to read only. this was done to counter the conflicker virus on the recommendations from microsoft. now on one on the domain controllere we need to create tasks and need to change permissions. i go to the group policy and add the domain controller in the security tab and deny this momain controller deny permissions to read and apply group policy permissions. after i apply and refresh the group policy in the gpresults i dont see the policy appliying anymore. but i guess the chasnges done by the policy are still retained. i need to change the permisions on the folder and the security tab is not available to this foler. how to undo the changes done by this group policy. i want ot be able to create tasks
0
Comment
Question by:mgmohiuddin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24067157

By default, the security changes you make to the File System or Registry on a system will tattoo. This means if you stop the Group Policy Object which defines them from applying to a machine, the settings will remain in place.

You will need to allow the GPO object you created to apply to the DC objects by removing the deny right. Then, Edit the policy and simply change the entry for C:\WINDOWS\Tasks such that Administrators and the SYSTEM account have Full Control over that path again. Once policy refreshes on the DC, you will then have the ability to access and create Scheduled Tasks once again.

-Matt
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 250 total points
ID: 24067477
If it's just that particular DC you want to change the permissions (and want to leave the rest with the current settings), then you'll have to create a new GPO to apply to just that DC (link it to the same OU but use security filtering so only that DC can Read and Apply the policy). Configure this GPO with the require permission settings.
Set it's precedence so it is higher than the existing GPO, and then just that DC will get the more relaxed permissions on that folder.
- Matt - like the use of 'tattoo' - good way of explaining!
0
 

Author Comment

by:mgmohiuddin
ID: 24070590
yes i thought so, so there is no other way of doing it as in our organization is a long procedure to create gpo and approvals etc etc
if no other way plz reply and i will close the question
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24070678

The only way you have open to you to reset the permissions is to either create a new GPO and apply it to the appropriate DC, as Tony said. The other way is to modify the existing GPO and reverse the Security changes - in other words, have that GPO now grant 'Full Control' to the Administrators group on the Tasks folder.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24070708
Hi,

Any reason for the 'B' grade? Was there something about our comments which did not fully answer your question?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24071294
As long as you are happy with this GPO never applying to the DC again (as you have said you've denied it read & apply permissions), i.e. none of the settings in the GPO are needed by the DC, you can just use cacls to directly edit the NTFS security of the folder. Of course if you make the below changes and re-apply the GPO, you will remove the permissions again.
MS hide the security tab from Explorer for this folder, but I think you can still use cacls or xcacls. e.g.
cacls %systemroot%\tasks /E /G domain\username:F
The above command will grant the given user full control over the folder. Of course, if you removed everyone's rights, you may not have permissions to do this. In which case you would need to do this in the SYSTEM context (as long as you didn't remove this from the ACL!). A neat trick for running a command line in the SYSTEM context is to create a service which launches a command prompt.
Type sc create systemcmd binpath= "cmd /k start" type= own type= interact
...this creates a service called 'systemcmd' that launches a command prompt in the SYSTEM context. To start the service, type...
sc start systemcmd
...you'll get an error message saying that the service couldn't start, but a command prompt will pop up. Any command you run from within this has SYSTEM rights. Run cacls from this and you should be in business. Make sure you do this locally on the server as the command prompt will appear on the local session, not a remote desktop.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
time server cant sync - rpc service is unavailable. 5 55
Can i use a GC as a DC? 7 77
Windows Server 2003 2 47
wannacry ransomware virus 2008R2 6 93
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question