Solved

Add or Remove Programs has been restricted. Please check with your administrator.

Posted on 2010-08-26
21
2,581 Views
Last Modified: 2012-06-27
I screwed GPO somewhere (at least I think i did) on Windows 2003 SBS Server. Domain Users group
cannot open Add/Remove Programs (Control Panel) - Add or Remove Programs has been restricted. Please check with your administrator.

or run REGEDIT - Registry editing has been disabled by your administrator.

gpresult:

C:\Documents and Settings\ship>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/26/2010 at 8:31:47 AM


RSOP results for ARC\ship on SHIPPING-PC : Logging Mode
--------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 ARC
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\ship
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 8/26/2010 at 8:25:56 AM
    Group Policy was applied from:      server.ARC.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SHIPPING-PC$
        Domain Computers
        CERTSVC_DCOM_ACCESS


USER SETTINGS
--------------

    Last time Group Policy was applied: 8/26/2010 at 8:28:56 AM
    Group Policy was applied from:      server.ARC.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Restrictions
        Small Business Server Folder Redirection

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Default Domain Policy
            Filtering:  Disabled (GPO)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Windows Search
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        WSUS
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Admins
        Everyone
        Offer Remote Assistance Helpers
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Users
        SBS Report Users
        Web Workplace Users
        CERTSVC_DCOM_ACCESS
0
Comment
Question by:Anti-Mhz
  • 9
  • 6
  • 6
21 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 150 total points
ID: 33531860
You set limited access to control panel in GPO. If you did it, you can revert it. Or if it should be like that run in command-line

control appwiz.cpl

or

runas /user: administrator "control appwiz.cpl" it runs Add/Remove software on local administrator account
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33531863
so its the 'restrictions' policy or so it looks like which has added the restrictions ? check in users->admin templates>control panel and look for any settings in there to restrict.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33531897
ok now I can see what you want. Run RSoP.msc from run menu

and navigate to:

User Configuration -> Administrative Templates -> Control Panel

and check what policy name is there. Then you would know what you changed and where :)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33531901
slow typing ;)
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33532058
@iSiek thats normally me :) people always seem to get in there above me... think its my old hands.
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33532065
I found this for Add/Remove Programs:

"Try this:
Go to Control Panel, Hold down the left "Shift" key and right click on "Add/Remove Programs" and select "Run As..". This will ask you if you want to use the "Current User" or " Select User". Try selecting other users and see if another user will allow you to un-install."



is there a similar way of accessing REGEDIT?

 
0
 
LVL 20

Assisted Solution

by:woolnoir
woolnoir earned 100 total points
ID: 33532087
you can right click on regedit in %windir%\system32 and put runas as long as you have other authentication credentials.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33532093
But im confused, isnt your problem that you want to remove the entry in the GPO preventing access to add/remove programs ? or am i confused.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33532143
@woolnoir :) yup, fingers getting old ;)

you can use command-line

runas /user:<username> %windir%\system32\regedit.exe
or use woolnoir method over gui :)

And I'm also confused aout your needs :)
You want to fix it, or leave as it is?
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33532234
whole new opportunities. I get to keep the system restrictions as is for domain users.

what about network connections. is there .cpl name for that?
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33532255
Local area Network - Some of the controls on this property seeht are disabled because you do not have sufficient privilegs to access to change them
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33532266
AWesome, Run as works for SYSTEM (control panel) as well
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33532272
ncpa.cpl
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33532547
ncpa.cpl opens C:\ (Windows Explorer window) - spyware/virus ?

these might come in handy later:

System (Control panel)
C:\Documents and Settings\User>runas /user:administrator@domain.local "control Sysd
m.cpl"

Registry:
C:\Documents and Settings\User>runas /user:administrator@domain.local "%windir%\sys
tem32\regedt32.exe"

Add/Remove Programs (Control Panel):
C:\Documents and Settings\User>runas /user:administrator@domain.local "control appw
iz.cpl"






0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33533276
same command , different workstation, same usergroup,  again C:\ (windows  explorer window) opens up
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33533837
I'm a whole new level of confused now... i thought this thread was about diagnosing and fixing the GPO issue... and now i have no idea :)
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33533873
actualy this thread is already solved. my question should be in another thread.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33533887
Did we solve, or did you :)
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33533919
i believe it was a group effort
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33539219
strange, on my each PC ncpa.cpl shows "Network Connections" :/
Check if you can run ncpa.cpl by double click. It is located in %WINDIR%\System32\ncpa.cpl
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 33542067
can i. ncpa.cpl > double click > network connections
ncpa.cpl > right click > system administrator or domain administrator credentials> Windows Explorer opens up C:\
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now