Solved

Disabling Group Policy Management (locked out!)

Posted on 2013-01-01
16
721 Views
Last Modified: 2013-01-11
Hi

OK, I have done something terribly stupid.

On the domain controler, I have was playing with a new group policy for our new terminal server. As you can understand, I limited as much as possible (cmd, powershell, regedit, etc). Stupid me, I also restricted the administrator user.

Now, when logging in to the server or any other for that matter, it blocks all. I can not remove this policy. What can I do to temporarily disable GPO, and unset it (at least for admin users)?
0
Comment
Question by:redworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 36

Expert Comment

by:Carl Webster
ID: 38735250
Method #1: Very simple, on the GPO, go to the last tab, bottom right, click that button, add your admin account/group and then set the Deny right to the policy object.  OK out, exit the GPO and reboot your server.

Method #2: move the server object in AD to an OU where the GPO does not apply, reboot the server.

ALWAYS do method 1 when creating new GPOs.  Another piece of advice, never create AND link a GPO when you create it.  Always create a new GPO in the Group Policy Object container in the GP Mgmt Console.
0
 

Author Comment

by:redworks
ID: 38735258
M1: Will probably not work. I disabled cmd/powershell, and all access to control panel.

M2: How do I do this?
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 38735271
Was the GPO linked to an OU where your terminal servers reside?  Or linked at the domain level?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:redworks
ID: 38735276
Domain I think.
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 38735281
OUCH

On the DC can you not get into the GPMC?

Is this for a test or production domain?
0
 

Author Comment

by:redworks
ID: 38735282
Ouch indeed!
Well, I am installing it FOR a production. But I am so far done... Would cost me lot of work to start over :(

Would like to add, I can boot from Win2012 DVD, go to recovery cmd prompt, and run regedit. Anything I can do there to temporarily disable GPO?
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 38735310
can you run services.msc and disable the Group Policy service?

or maybe:

sc config gpsvc start= disabled (yes that is a space after the =)

If that doesn't work,

Computer\HKLM\SYSTEM\CCS\services\gpsvc\Start

change from 2 to 4
0
 

Author Comment

by:redworks
ID: 38735338
Also no go... :(
Didnt work
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 38735431
Why can't you just delete the GPO link and reboot the server?
this should remove the GP settings.
0
 
LVL 8

Expert Comment

by:jpgobert
ID: 38735455
How exactly did you apply the restrictions?

Any chance you could build a new VM or image a PC real quick that's not on your domain, install RSAT, join the machine to the domain but *don't* reboot yet... use run-as to load the GPMC or PowerShell and disable the bad policy.

The restrictive GPO won't actually apply to the machine you'd be using until you reboot... you'll have to definitely launch whatever tools you need using domain admin credentials which should be no problem once the join operation finishes... you'll be prompted for credentials enough to drive you crazy but it is a window that you can possibly exploit..?
0
 
LVL 8

Expert Comment

by:jpgobert
ID: 38735460
Another idea... why not just edit the ADM files for that policy in notepad to remove the restriction on the admin user so you can clean this up... I wouldn't just delete the policy but you should be able to browse to \\yourdomain\sysvol\yourdomain\policies from any machine on your network... you'll be prompted for credentials with good permissions but once you're there the ADM files are plain text...

??
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38737124
Access the sysvol folder with administrator ID

Take owner ship of the folder and put deny access to GUID of folders under \\domain.local\sysvol\policies\{GUID} for administrators then restart the DC

In this way you would deny access to GPO and so policies will not be applied to Administrator user ID then you can login to DC and fine tune settings via GPMC
0
 
LVL 8

Expert Comment

by:jpgobert
ID: 38737165
@sarang... I'm not sure that would work in this case... the policy has already propogated out to his domain so unless there is some type of update that revokes the policy or modifies the policy settings it won't just stop applying...
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38737212
Ok..so create another admin account by installing admin pack on one of the member machine and do same with that ...lets see if that works
0
 

Accepted Solution

by:
redworks earned 0 total points
ID: 38748594
In the end, and I tried many things, I just reinstalled the whole thing.
Real bummer, but... This will only happen to me once :)

Would be nice if Microsoft could make some escape for this, or prevent this from applying to the core administrator....
0
 

Author Closing Comment

by:redworks
ID: 38766397
seems this is one of those questions to which there is no solution
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question