Solved

need to rollback group policy for a domain controller

Posted on 2009-04-04
6
1,282 Views
Last Modified: 2012-05-06
we have four domain controllers and we have applied a group policy to the domain controllers OU in which we have specified to change the permissions of the c:\windows\tasks folder to read only. this was done to counter the conflicker virus on the recommendations from microsoft. now on one on the domain controllere we need to create tasks and need to change permissions. i go to the group policy and add the domain controller in the security tab and deny this momain controller deny permissions to read and apply group policy permissions. after i apply and refresh the group policy in the gpresults i dont see the policy appliying anymore. but i guess the chasnges done by the policy are still retained. i need to change the permisions on the folder and the security tab is not available to this foler. how to undo the changes done by this group policy. i want ot be able to create tasks
0
Comment
Question by:mgmohiuddin
  • 3
  • 2
6 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24067157

By default, the security changes you make to the File System or Registry on a system will tattoo. This means if you stop the Group Policy Object which defines them from applying to a machine, the settings will remain in place.

You will need to allow the GPO object you created to apply to the DC objects by removing the deny right. Then, Edit the policy and simply change the entry for C:\WINDOWS\Tasks such that Administrators and the SYSTEM account have Full Control over that path again. Once policy refreshes on the DC, you will then have the ability to access and create Scheduled Tasks once again.

-Matt
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 250 total points
ID: 24067477
If it's just that particular DC you want to change the permissions (and want to leave the rest with the current settings), then you'll have to create a new GPO to apply to just that DC (link it to the same OU but use security filtering so only that DC can Read and Apply the policy). Configure this GPO with the require permission settings.
Set it's precedence so it is higher than the existing GPO, and then just that DC will get the more relaxed permissions on that folder.
- Matt - like the use of 'tattoo' - good way of explaining!
0
 

Author Comment

by:mgmohiuddin
ID: 24070590
yes i thought so, so there is no other way of doing it as in our organization is a long procedure to create gpo and approvals etc etc
if no other way plz reply and i will close the question
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24070678

The only way you have open to you to reset the permissions is to either create a new GPO and apply it to the appropriate DC, as Tony said. The other way is to modify the existing GPO and reverse the Security changes - in other words, have that GPO now grant 'Full Control' to the Administrators group on the Tasks folder.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24070708
Hi,

Any reason for the 'B' grade? Was there something about our comments which did not fully answer your question?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24071294
As long as you are happy with this GPO never applying to the DC again (as you have said you've denied it read & apply permissions), i.e. none of the settings in the GPO are needed by the DC, you can just use cacls to directly edit the NTFS security of the folder. Of course if you make the below changes and re-apply the GPO, you will remove the permissions again.
MS hide the security tab from Explorer for this folder, but I think you can still use cacls or xcacls. e.g.
cacls %systemroot%\tasks /E /G domain\username:F
The above command will grant the given user full control over the folder. Of course, if you removed everyone's rights, you may not have permissions to do this. In which case you would need to do this in the SYSTEM context (as long as you didn't remove this from the ACL!). A neat trick for running a command line in the SYSTEM context is to create a service which launches a command prompt.
Type sc create systemcmd binpath= "cmd /k start" type= own type= interact
...this creates a service called 'systemcmd' that launches a command prompt in the SYSTEM context. To start the service, type...
sc start systemcmd
...you'll get an error message saying that the service couldn't start, but a command prompt will pop up. Any command you run from within this has SYSTEM rights. Run cacls from this and you should be in business. Make sure you do this locally on the server as the command prompt will appear on the local session, not a remote desktop.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now