Add or Remove Programs has been restricted. Please check with your administrator.

I screwed GPO somewhere (at least I think i did) on Windows 2003 SBS Server. Domain Users group
cannot open Add/Remove Programs (Control Panel) - Add or Remove Programs has been restricted. Please check with your administrator.

or run REGEDIT - Registry editing has been disabled by your administrator.

gpresult:

C:\Documents and Settings\ship>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/26/2010 at 8:31:47 AM


RSOP results for ARC\ship on SHIPPING-PC : Logging Mode
--------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 ARC
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\ship
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 8/26/2010 at 8:25:56 AM
    Group Policy was applied from:      server.ARC.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SHIPPING-PC$
        Domain Computers
        CERTSVC_DCOM_ACCESS


USER SETTINGS
--------------

    Last time Group Policy was applied: 8/26/2010 at 8:28:56 AM
    Group Policy was applied from:      server.ARC.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Restrictions
        Small Business Server Folder Redirection

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Default Domain Policy
            Filtering:  Disabled (GPO)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Windows Search
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        WSUS
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Admins
        Everyone
        Offer Remote Assistance Helpers
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Users
        SBS Report Users
        Web Workplace Users
        CERTSVC_DCOM_ACCESS
LVL 1
Anti-MhzAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
You set limited access to control panel in GPO. If you did it, you can revert it. Or if it should be like that run in command-line

control appwiz.cpl

or

runas /user: administrator "control appwiz.cpl" it runs Add/Remove software on local administrator account
0
 
woolnoirCommented:
so its the 'restrictions' policy or so it looks like which has added the restrictions ? check in users->admin templates>control panel and look for any settings in there to restrict.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
ok now I can see what you want. Run RSoP.msc from run menu

and navigate to:

User Configuration -> Administrative Templates -> Control Panel

and check what policy name is there. Then you would know what you changed and where :)
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
Krzysztof PytkoSenior Active Directory EngineerCommented:
slow typing ;)
0
 
woolnoirCommented:
@iSiek thats normally me :) people always seem to get in there above me... think its my old hands.
0
 
Anti-MhzAuthor Commented:
I found this for Add/Remove Programs:

"Try this:
Go to Control Panel, Hold down the left "Shift" key and right click on "Add/Remove Programs" and select "Run As..". This will ask you if you want to use the "Current User" or " Select User". Try selecting other users and see if another user will allow you to un-install."



is there a similar way of accessing REGEDIT?

 
0
 
woolnoirConnect With a Mentor Commented:
you can right click on regedit in %windir%\system32 and put runas as long as you have other authentication credentials.
0
 
woolnoirCommented:
But im confused, isnt your problem that you want to remove the entry in the GPO preventing access to add/remove programs ? or am i confused.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
@woolnoir :) yup, fingers getting old ;)

you can use command-line

runas /user:<username> %windir%\system32\regedit.exe
or use woolnoir method over gui :)

And I'm also confused aout your needs :)
You want to fix it, or leave as it is?
0
 
Anti-MhzAuthor Commented:
whole new opportunities. I get to keep the system restrictions as is for domain users.

what about network connections. is there .cpl name for that?
0
 
Anti-MhzAuthor Commented:
Local area Network - Some of the controls on this property seeht are disabled because you do not have sufficient privilegs to access to change them
0
 
Anti-MhzAuthor Commented:
AWesome, Run as works for SYSTEM (control panel) as well
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
ncpa.cpl
0
 
Anti-MhzAuthor Commented:
ncpa.cpl opens C:\ (Windows Explorer window) - spyware/virus ?

these might come in handy later:

System (Control panel)
C:\Documents and Settings\User>runas /user:administrator@domain.local "control Sysd
m.cpl"

Registry:
C:\Documents and Settings\User>runas /user:administrator@domain.local "%windir%\sys
tem32\regedt32.exe"

Add/Remove Programs (Control Panel):
C:\Documents and Settings\User>runas /user:administrator@domain.local "control appw
iz.cpl"






0
 
Anti-MhzAuthor Commented:
same command , different workstation, same usergroup,  again C:\ (windows  explorer window) opens up
0
 
woolnoirCommented:
I'm a whole new level of confused now... i thought this thread was about diagnosing and fixing the GPO issue... and now i have no idea :)
0
 
Anti-MhzAuthor Commented:
actualy this thread is already solved. my question should be in another thread.
0
 
woolnoirCommented:
Did we solve, or did you :)
0
 
Anti-MhzAuthor Commented:
i believe it was a group effort
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
strange, on my each PC ncpa.cpl shows "Network Connections" :/
Check if you can run ncpa.cpl by double click. It is located in %WINDIR%\System32\ncpa.cpl
0
 
Anti-MhzAuthor Commented:
can i. ncpa.cpl > double click > network connections
ncpa.cpl > right click > system administrator or domain administrator credentials> Windows Explorer opens up C:\
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.