Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 940
  • Last Modified:

Cannot Remove Software Restriction Policy

Someone added a blank software restriction policy to a Policy that was applied domain wide. Caused me problems. Anyway, I took the SRP off of that policy, and tried gpupdate, gpupdate /force, gpupdate /sync to no avail. I removed the link and the enforcement from that Policy to the OU (all OUs). Tried to gpupdate.. nothing. I removed a pc from the domain and logged in as a local admin, Resultant set of policy says i still have SRP. I rejoined domain hoping to overwrite because they should only be receiving the Default Domain Policy -- which does not have a SRP. Stil nothing. I really need to find an answer else I'm gonna be reformatting machines until I die. I tried the Microsoft FixIt BS and it doesnt work either.
0
jstevens80
Asked:
jstevens80
  • 7
  • 2
1 Solution
 
jstevens80Author Commented:
I'm still screwed as of right now. I need to connect to the network to install programs. I use static IPs so when I input my DNS server I automatically pick up the SRP.
0
 
jstevens80Author Commented:
To add even more -- Ive deleted registry entries from HKCU and HKLM for software/policies/microsoft. and currentversion/policies. Ive deleted Windows/system32/GroupPolicy. Still nothing. I restarted the PDC and SDC, all the machines, have run gpupdate. Have removed ALL GP's. gpresult said N/A GPO's were applied. Default Domain policy is disabled, and the Local Group Policy is not applied. -- same thing for user settings. When i use the MMC to look at RSoP it still tells me I have SRP. Definitely in a bind.
0
 
javiersantanaCommented:
What a mess! Anything coming up in the event viewer? use RSOP on the DC and see what you get. Are your OU's inheriting any policies? Just a few things to check.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
jstevens80Author Commented:
there are no errors in the event log, just that the security policy was applied successfuly. i ran RSoP on the DC and it has the policy applied as well. My Boss (CIO but not tech oriented) logged in as her user which is set to receive the GPO. There are currently applied GPO's, all are disabled. The Default GPO was inherited by all but i even disabled that. Although the DGPO did NOT have any SRP
0
 
javiersantanaCommented:
The GPO is set on user accounts? do these user accounts have admin rights? I believe in order for GPO's to be applied to user accounts that modify registry/permissions/security in any way, users need to have some sort of elevated privileges.

I might be completely wrong in that last statement. I think i remember reading that somewhere though. check it out and see if im right.
0
 
jstevens80Author Commented:
those user accounts have local administrative rights. not domain wide. but like i said, as soon as i point any pc to my DC even if its not on the domain i get a SRP. I dont get that at all.
0
 
BitsBytesandMoreCommented:
What a mess...... have you tried turning off the PDC to see if the SDC also has the same problem?
How many users do you have?
If it works with the SDC you might want to consider running dcpromo...in installs or removes the Active Directory services and recreates everything from the SDC....
0
 
jstevens80Author Commented:
From what ive been reading.. all security options via GPO "tattoo" the pc. I did not leave the PDC off, just restarted and the SDC took over the domain control (but remember im using static addressing so the users still point their primary DNS to the PDC and secondary is the SDC). Did not help, so i restarted the SDC and the PDC took over again. Replication between servers seems fine. I created a test OU and applied a new GPO with no SRP and it did nothing. So i changed the SRP to not apply to local admins (which all my users are for our 3rd party management system {bad i know}). Did not help either. So you're suggesting leaving the PDC offline for a bit and then running gpupdate /force and see what happens? ive been trying to read about creating custom ADMs but im also running an office of 125+ pc's by myself this week. I just had a core switch fail as well (stressed!)
0
 
jstevens80Author Commented:
I have a cd with some software that needs to install a virtual LPT port (LPT1). SRP prevents me from running these 3 .msi files. I have another .msi that is my CiscoVPN client installer. I moved the VPN installer to the same location as the other .msi's. I can open my VPN msi but none of the others. All are in the same directory. I moved the restricted .msi's from disk to disk to remove security but still nothing.
0
 
jstevens80Author Commented:
It turns out that if I wait a couple hours after writing a new policy overwriting the tattooed policy, things will be ok. maybe its my replication between PDC and SDC. The other .msi's in question were locked by the publisher so only their installed could run the files, not myself behind the scenese, but it gave me the same error message i receieved when i was actually blocked by an SRP.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now