Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cannot Remove Software Restriction Policy

Posted on 2009-07-09
10
Medium Priority
?
932 Views
Last Modified: 2012-05-07
Someone added a blank software restriction policy to a Policy that was applied domain wide. Caused me problems. Anyway, I took the SRP off of that policy, and tried gpupdate, gpupdate /force, gpupdate /sync to no avail. I removed the link and the enforcement from that Policy to the OU (all OUs). Tried to gpupdate.. nothing. I removed a pc from the domain and logged in as a local admin, Resultant set of policy says i still have SRP. I rejoined domain hoping to overwrite because they should only be receiving the Default Domain Policy -- which does not have a SRP. Stil nothing. I really need to find an answer else I'm gonna be reformatting machines until I die. I tried the Microsoft FixIt BS and it doesnt work either.
0
Comment
Question by:jstevens80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
10 Comments
 
LVL 1

Author Comment

by:jstevens80
ID: 24819548
I'm still screwed as of right now. I need to connect to the network to install programs. I use static IPs so when I input my DNS server I automatically pick up the SRP.
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24819709
To add even more -- Ive deleted registry entries from HKCU and HKLM for software/policies/microsoft. and currentversion/policies. Ive deleted Windows/system32/GroupPolicy. Still nothing. I restarted the PDC and SDC, all the machines, have run gpupdate. Have removed ALL GP's. gpresult said N/A GPO's were applied. Default Domain policy is disabled, and the Local Group Policy is not applied. -- same thing for user settings. When i use the MMC to look at RSoP it still tells me I have SRP. Definitely in a bind.
0
 
LVL 2

Expert Comment

by:javiersantana
ID: 24819827
What a mess! Anything coming up in the event viewer? use RSOP on the DC and see what you get. Are your OU's inheriting any policies? Just a few things to check.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:jstevens80
ID: 24819950
there are no errors in the event log, just that the security policy was applied successfuly. i ran RSoP on the DC and it has the policy applied as well. My Boss (CIO but not tech oriented) logged in as her user which is set to receive the GPO. There are currently applied GPO's, all are disabled. The Default GPO was inherited by all but i even disabled that. Although the DGPO did NOT have any SRP
0
 
LVL 2

Expert Comment

by:javiersantana
ID: 24819991
The GPO is set on user accounts? do these user accounts have admin rights? I believe in order for GPO's to be applied to user accounts that modify registry/permissions/security in any way, users need to have some sort of elevated privileges.

I might be completely wrong in that last statement. I think i remember reading that somewhere though. check it out and see if im right.
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24820004
those user accounts have local administrative rights. not domain wide. but like i said, as soon as i point any pc to my DC even if its not on the domain i get a SRP. I dont get that at all.
0
 
LVL 22

Expert Comment

by:BitsBytesandMore
ID: 24823645
What a mess...... have you tried turning off the PDC to see if the SDC also has the same problem?
How many users do you have?
If it works with the SDC you might want to consider running dcpromo...in installs or removes the Active Directory services and recreates everything from the SDC....
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24823788
From what ive been reading.. all security options via GPO "tattoo" the pc. I did not leave the PDC off, just restarted and the SDC took over the domain control (but remember im using static addressing so the users still point their primary DNS to the PDC and secondary is the SDC). Did not help, so i restarted the SDC and the PDC took over again. Replication between servers seems fine. I created a test OU and applied a new GPO with no SRP and it did nothing. So i changed the SRP to not apply to local admins (which all my users are for our 3rd party management system {bad i know}). Did not help either. So you're suggesting leaving the PDC offline for a bit and then running gpupdate /force and see what happens? ive been trying to read about creating custom ADMs but im also running an office of 125+ pc's by myself this week. I just had a core switch fail as well (stressed!)
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24824175
I have a cd with some software that needs to install a virtual LPT port (LPT1). SRP prevents me from running these 3 .msi files. I have another .msi that is my CiscoVPN client installer. I moved the VPN installer to the same location as the other .msi's. I can open my VPN msi but none of the others. All are in the same directory. I moved the restricted .msi's from disk to disk to remove security but still nothing.
0
 
LVL 1

Accepted Solution

by:
jstevens80 earned 0 total points
ID: 24934473
It turns out that if I wait a couple hours after writing a new policy overwriting the tattooed policy, things will be ok. maybe its my replication between PDC and SDC. The other .msi's in question were locked by the publisher so only their installed could run the files, not myself behind the scenese, but it gave me the same error message i receieved when i was actually blocked by an SRP.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question