• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3005
  • Last Modified:

Add or Remove Programs has been restricted. Please check with your administrator.

I screwed GPO somewhere (at least I think i did) on Windows 2003 SBS Server. Domain Users group
cannot open Add/Remove Programs (Control Panel) - Add or Remove Programs has been restricted. Please check with your administrator.

or run REGEDIT - Registry editing has been disabled by your administrator.

gpresult:

C:\Documents and Settings\ship>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/26/2010 at 8:31:47 AM


RSOP results for ARC\ship on SHIPPING-PC : Logging Mode
--------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 ARC
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\ship
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 8/26/2010 at 8:25:56 AM
    Group Policy was applied from:      server.ARC.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        SHIPPING-PC$
        Domain Computers
        CERTSVC_DCOM_ACCESS


USER SETTINGS
--------------

    Last time Group Policy was applied: 8/26/2010 at 8:28:56 AM
    Group Policy was applied from:      server.ARC.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Restrictions
        Small Business Server Folder Redirection

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Default Domain Policy
            Filtering:  Disabled (GPO)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Windows Search
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        WSUS
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Admins
        Everyone
        Offer Remote Assistance Helpers
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Users
        SBS Report Users
        Web Workplace Users
        CERTSVC_DCOM_ACCESS
0
Anti-Mhz
Asked:
Anti-Mhz
  • 9
  • 6
  • 6
2 Solutions
 
Krzysztof PytkoActive Directory EngineerCommented:
You set limited access to control panel in GPO. If you did it, you can revert it. Or if it should be like that run in command-line

control appwiz.cpl

or

runas /user: administrator "control appwiz.cpl" it runs Add/Remove software on local administrator account
0
 
woolnoirCommented:
so its the 'restrictions' policy or so it looks like which has added the restrictions ? check in users->admin templates>control panel and look for any settings in there to restrict.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
ok now I can see what you want. Run RSoP.msc from run menu

and navigate to:

User Configuration -> Administrative Templates -> Control Panel

and check what policy name is there. Then you would know what you changed and where :)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Krzysztof PytkoActive Directory EngineerCommented:
slow typing ;)
0
 
woolnoirCommented:
@iSiek thats normally me :) people always seem to get in there above me... think its my old hands.
0
 
Anti-MhzAuthor Commented:
I found this for Add/Remove Programs:

"Try this:
Go to Control Panel, Hold down the left "Shift" key and right click on "Add/Remove Programs" and select "Run As..". This will ask you if you want to use the "Current User" or " Select User". Try selecting other users and see if another user will allow you to un-install."



is there a similar way of accessing REGEDIT?

 
0
 
woolnoirCommented:
you can right click on regedit in %windir%\system32 and put runas as long as you have other authentication credentials.
0
 
woolnoirCommented:
But im confused, isnt your problem that you want to remove the entry in the GPO preventing access to add/remove programs ? or am i confused.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
@woolnoir :) yup, fingers getting old ;)

you can use command-line

runas /user:<username> %windir%\system32\regedit.exe
or use woolnoir method over gui :)

And I'm also confused aout your needs :)
You want to fix it, or leave as it is?
0
 
Anti-MhzAuthor Commented:
whole new opportunities. I get to keep the system restrictions as is for domain users.

what about network connections. is there .cpl name for that?
0
 
Anti-MhzAuthor Commented:
Local area Network - Some of the controls on this property seeht are disabled because you do not have sufficient privilegs to access to change them
0
 
Anti-MhzAuthor Commented:
AWesome, Run as works for SYSTEM (control panel) as well
0
 
Krzysztof PytkoActive Directory EngineerCommented:
ncpa.cpl
0
 
Anti-MhzAuthor Commented:
ncpa.cpl opens C:\ (Windows Explorer window) - spyware/virus ?

these might come in handy later:

System (Control panel)
C:\Documents and Settings\User>runas /user:administrator@domain.local "control Sysd
m.cpl"

Registry:
C:\Documents and Settings\User>runas /user:administrator@domain.local "%windir%\sys
tem32\regedt32.exe"

Add/Remove Programs (Control Panel):
C:\Documents and Settings\User>runas /user:administrator@domain.local "control appw
iz.cpl"






0
 
Anti-MhzAuthor Commented:
same command , different workstation, same usergroup,  again C:\ (windows  explorer window) opens up
0
 
woolnoirCommented:
I'm a whole new level of confused now... i thought this thread was about diagnosing and fixing the GPO issue... and now i have no idea :)
0
 
Anti-MhzAuthor Commented:
actualy this thread is already solved. my question should be in another thread.
0
 
woolnoirCommented:
Did we solve, or did you :)
0
 
Anti-MhzAuthor Commented:
i believe it was a group effort
0
 
Krzysztof PytkoActive Directory EngineerCommented:
strange, on my each PC ncpa.cpl shows "Network Connections" :/
Check if you can run ncpa.cpl by double click. It is located in %WINDIR%\System32\ncpa.cpl
0
 
Anti-MhzAuthor Commented:
can i. ncpa.cpl > double click > network connections
ncpa.cpl > right click > system administrator or domain administrator credentials> Windows Explorer opens up C:\
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

  • 9
  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now