Avatar of redworks
redworks
 asked on

Disabling Group Policy Management (locked out!)

Hi

OK, I have done something terribly stupid.

On the domain controler, I have was playing with a new group policy for our new terminal server. As you can understand, I limited as much as possible (cmd, powershell, regedit, etc). Stupid me, I also restricted the administrator user.

Now, when logging in to the server or any other for that matter, it blocks all. I can not remove this policy. What can I do to temporarily disable GPO, and unset it (at least for admin users)?
Windows Server 2012Active Directory

Avatar of undefined
Last Comment
redworks

8/22/2022 - Mon
Carl Webster

Method #1: Very simple, on the GPO, go to the last tab, bottom right, click that button, add your admin account/group and then set the Deny right to the policy object.  OK out, exit the GPO and reboot your server.

Method #2: move the server object in AD to an OU where the GPO does not apply, reboot the server.

ALWAYS do method 1 when creating new GPOs.  Another piece of advice, never create AND link a GPO when you create it.  Always create a new GPO in the Group Policy Object container in the GP Mgmt Console.
redworks

ASKER
M1: Will probably not work. I disabled cmd/powershell, and all access to control panel.

M2: How do I do this?
Carl Webster

Was the GPO linked to an OU where your terminal servers reside?  Or linked at the domain level?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
redworks

ASKER
Domain I think.
Carl Webster

OUCH

On the DC can you not get into the GPMC?

Is this for a test or production domain?
redworks

ASKER
Ouch indeed!
Well, I am installing it FOR a production. But I am so far done... Would cost me lot of work to start over :(

Would like to add, I can boot from Win2012 DVD, go to recovery cmd prompt, and run regedit. Anything I can do there to temporarily disable GPO?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Carl Webster

can you run services.msc and disable the Group Policy service?

or maybe:

sc config gpsvc start= disabled (yes that is a space after the =)

If that doesn't work,

Computer\HKLM\SYSTEM\CCS\services\gpsvc\Start

change from 2 to 4
redworks

ASKER
Also no go... :(
Didnt work
yo_bee

Why can't you just delete the GPO link and reboot the server?
this should remove the GP settings.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
John Gobert

How exactly did you apply the restrictions?

Any chance you could build a new VM or image a PC real quick that's not on your domain, install RSAT, join the machine to the domain but *don't* reboot yet... use run-as to load the GPMC or PowerShell and disable the bad policy.

The restrictive GPO won't actually apply to the machine you'd be using until you reboot... you'll have to definitely launch whatever tools you need using domain admin credentials which should be no problem once the join operation finishes... you'll be prompted for credentials enough to drive you crazy but it is a window that you can possibly exploit..?
John Gobert

Another idea... why not just edit the ADM files for that policy in notepad to remove the restriction on the admin user so you can clean this up... I wouldn't just delete the policy but you should be able to browse to \\yourdomain\sysvol\yourdomain\policies from any machine on your network... you'll be prompted for credentials with good permissions but once you're there the ADM files are plain text...

??
Sarang Tinguria

Access the sysvol folder with administrator ID

Take owner ship of the folder and put deny access to GUID of folders under \\domain.local\sysvol\policies\{GUID} for administrators then restart the DC

In this way you would deny access to GPO and so policies will not be applied to Administrator user ID then you can login to DC and fine tune settings via GPMC
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
John Gobert

@sarang... I'm not sure that would work in this case... the policy has already propogated out to his domain so unless there is some type of update that revokes the policy or modifies the policy settings it won't just stop applying...
Sarang Tinguria

Ok..so create another admin account by installing admin pack on one of the member machine and do same with that ...lets see if that works
ASKER CERTIFIED SOLUTION
redworks

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
redworks

ASKER
seems this is one of those questions to which there is no solution
Your help has saved me hundreds of hours of internet surfing.
fblack61