If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.
COURSE of the MONTH
10 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Disabling Group Policy Management (locked out!)
Posted on 2013-01-01
Hi
OK, I have done something terribly stupid.
On the domain controler, I have was playing with a new group policy for our new terminal server. As you can understand, I limited as much as possible (cmd, powershell, regedit, etc). Stupid me, I also restricted the administrator user.
Now, when logging in to the server or any other for that matter, it blocks all. I can not remove this policy. What can I do to temporarily disable GPO, and unset it (at least for admin users)?
OK, I have done something terribly stupid.
On the domain controler, I have was playing with a new group policy for our new terminal server. As you can understand, I limited as much as possible (cmd, powershell, regedit, etc). Stupid me, I also restricted the administrator user.
Now, when logging in to the server or any other for that matter, it blocks all. I can not remove this policy. What can I do to temporarily disable GPO, and unset it (at least for admin users)?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
6
4
3- +2
16 Comments
Active 6 days ago
Method #1: Very simple, on the GPO, go to the last tab, bottom right, click that button, add your admin account/group and then set the Deny right to the policy object. OK out, exit the GPO and reboot your server.
Method #2: move the server object in AD to an OU where the GPO does not apply, reboot the server.
ALWAYS do method 1 when creating new GPOs. Another piece of advice, never create AND link a GPO when you create it. Always create a new GPO in the Group Policy Object container in the GP Mgmt Console.
Method #2: move the server object in AD to an OU where the GPO does not apply, reboot the server.
ALWAYS do method 1 when creating new GPOs. Another piece of advice, never create AND link a GPO when you create it. Always create a new GPO in the Group Policy Object container in the GP Mgmt Console.
M1: Will probably not work. I disabled cmd/powershell, and all access to control panel.
M2: How do I do this?
M2: How do I do this?
Active 6 days ago
Was the GPO linked to an OU where your terminal servers reside? Or linked at the domain level?
Active 6 days ago
OUCH
On the DC can you not get into the GPMC?
Is this for a test or production domain?
On the DC can you not get into the GPMC?
Is this for a test or production domain?
Ouch indeed!
Well, I am installing it FOR a production. But I am so far done... Would cost me lot of work to start over :(
Would like to add, I can boot from Win2012 DVD, go to recovery cmd prompt, and run regedit. Anything I can do there to temporarily disable GPO?
Well, I am installing it FOR a production. But I am so far done... Would cost me lot of work to start over :(
Would like to add, I can boot from Win2012 DVD, go to recovery cmd prompt, and run regedit. Anything I can do there to temporarily disable GPO?
Active 6 days ago
can you run services.msc and disable the Group Policy service?
or maybe:
sc config gpsvc start= disabled (yes that is a space after the =)
If that doesn't work,
Computer\HKLM\SYSTEM\CCS\s
change from 2 to 4
or maybe:
sc config gpsvc start= disabled (yes that is a space after the =)
If that doesn't work,
Computer\HKLM\SYSTEM\CCS\s
change from 2 to 4
Active today
Why can't you just delete the GPO link and reboot the server?
this should remove the GP settings.
this should remove the GP settings.
How exactly did you apply the restrictions?
Any chance you could build a new VM or image a PC real quick that's not on your domain, install RSAT, join the machine to the domain but *don't* reboot yet... use run-as to load the GPMC or PowerShell and disable the bad policy.
The restrictive GPO won't actually apply to the machine you'd be using until you reboot... you'll have to definitely launch whatever tools you need using domain admin credentials which should be no problem once the join operation finishes... you'll be prompted for credentials enough to drive you crazy but it is a window that you can possibly exploit..?
Any chance you could build a new VM or image a PC real quick that's not on your domain, install RSAT, join the machine to the domain but *don't* reboot yet... use run-as to load the GPMC or PowerShell and disable the bad policy.
The restrictive GPO won't actually apply to the machine you'd be using until you reboot... you'll have to definitely launch whatever tools you need using domain admin credentials which should be no problem once the join operation finishes... you'll be prompted for credentials enough to drive you crazy but it is a window that you can possibly exploit..?
Another idea... why not just edit the ADM files for that policy in notepad to remove the restriction on the admin user so you can clean this up... I wouldn't just delete the policy but you should be able to browse to \\yourdomain\sysvol\yourdo
??
??
Active today
Access the sysvol folder with administrator ID
Take owner ship of the folder and put deny access to GUID of folders under \\domain.local\sysvol\poli
In this way you would deny access to GPO and so policies will not be applied to Administrator user ID then you can login to DC and fine tune settings via GPMC
Take owner ship of the folder and put deny access to GUID of folders under \\domain.local\sysvol\poli
In this way you would deny access to GPO and so policies will not be applied to Administrator user ID then you can login to DC and fine tune settings via GPMC
@sarang... I'm not sure that would work in this case... the policy has already propogated out to his domain so unless there is some type of update that revokes the policy or modifies the policy settings it won't just stop applying...
Active today
Ok..so create another admin account by installing admin pack on one of the member machine and do same with that ...lets see if that works
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller.
Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month10 days, left to enroll
762 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.