Solved

Cannot Remove Software Restriction Policy

Posted on 2009-07-09
10
882 Views
Last Modified: 2012-05-07
Someone added a blank software restriction policy to a Policy that was applied domain wide. Caused me problems. Anyway, I took the SRP off of that policy, and tried gpupdate, gpupdate /force, gpupdate /sync to no avail. I removed the link and the enforcement from that Policy to the OU (all OUs). Tried to gpupdate.. nothing. I removed a pc from the domain and logged in as a local admin, Resultant set of policy says i still have SRP. I rejoined domain hoping to overwrite because they should only be receiving the Default Domain Policy -- which does not have a SRP. Stil nothing. I really need to find an answer else I'm gonna be reformatting machines until I die. I tried the Microsoft FixIt BS and it doesnt work either.
0
Comment
Question by:jstevens80
  • 7
  • 2
10 Comments
 
LVL 1

Author Comment

by:jstevens80
ID: 24819548
I'm still screwed as of right now. I need to connect to the network to install programs. I use static IPs so when I input my DNS server I automatically pick up the SRP.
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24819709
To add even more -- Ive deleted registry entries from HKCU and HKLM for software/policies/microsoft. and currentversion/policies. Ive deleted Windows/system32/GroupPolicy. Still nothing. I restarted the PDC and SDC, all the machines, have run gpupdate. Have removed ALL GP's. gpresult said N/A GPO's were applied. Default Domain policy is disabled, and the Local Group Policy is not applied. -- same thing for user settings. When i use the MMC to look at RSoP it still tells me I have SRP. Definitely in a bind.
0
 
LVL 2

Expert Comment

by:javiersantana
ID: 24819827
What a mess! Anything coming up in the event viewer? use RSOP on the DC and see what you get. Are your OU's inheriting any policies? Just a few things to check.
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24819950
there are no errors in the event log, just that the security policy was applied successfuly. i ran RSoP on the DC and it has the policy applied as well. My Boss (CIO but not tech oriented) logged in as her user which is set to receive the GPO. There are currently applied GPO's, all are disabled. The Default GPO was inherited by all but i even disabled that. Although the DGPO did NOT have any SRP
0
 
LVL 2

Expert Comment

by:javiersantana
ID: 24819991
The GPO is set on user accounts? do these user accounts have admin rights? I believe in order for GPO's to be applied to user accounts that modify registry/permissions/security in any way, users need to have some sort of elevated privileges.

I might be completely wrong in that last statement. I think i remember reading that somewhere though. check it out and see if im right.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:jstevens80
ID: 24820004
those user accounts have local administrative rights. not domain wide. but like i said, as soon as i point any pc to my DC even if its not on the domain i get a SRP. I dont get that at all.
0
 
LVL 22

Expert Comment

by:BitsBytesandMore
ID: 24823645
What a mess...... have you tried turning off the PDC to see if the SDC also has the same problem?
How many users do you have?
If it works with the SDC you might want to consider running dcpromo...in installs or removes the Active Directory services and recreates everything from the SDC....
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24823788
From what ive been reading.. all security options via GPO "tattoo" the pc. I did not leave the PDC off, just restarted and the SDC took over the domain control (but remember im using static addressing so the users still point their primary DNS to the PDC and secondary is the SDC). Did not help, so i restarted the SDC and the PDC took over again. Replication between servers seems fine. I created a test OU and applied a new GPO with no SRP and it did nothing. So i changed the SRP to not apply to local admins (which all my users are for our 3rd party management system {bad i know}). Did not help either. So you're suggesting leaving the PDC offline for a bit and then running gpupdate /force and see what happens? ive been trying to read about creating custom ADMs but im also running an office of 125+ pc's by myself this week. I just had a core switch fail as well (stressed!)
0
 
LVL 1

Author Comment

by:jstevens80
ID: 24824175
I have a cd with some software that needs to install a virtual LPT port (LPT1). SRP prevents me from running these 3 .msi files. I have another .msi that is my CiscoVPN client installer. I moved the VPN installer to the same location as the other .msi's. I can open my VPN msi but none of the others. All are in the same directory. I moved the restricted .msi's from disk to disk to remove security but still nothing.
0
 
LVL 1

Accepted Solution

by:
jstevens80 earned 0 total points
ID: 24934473
It turns out that if I wait a couple hours after writing a new policy overwriting the tattooed policy, things will be ok. maybe its my replication between PDC and SDC. The other .msi's in question were locked by the publisher so only their installed could run the files, not myself behind the scenese, but it gave me the same error message i receieved when i was actually blocked by an SRP.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now