Solved

Locked out of Group Policy

Posted on 2014-11-03
7
102 Views
Last Modified: 2014-11-08
Hi All,

I did a really dumb thing and I am hoping you can help me.

I locked myself out of gpedit.msc and gpmc.msc.

The lockout is coming from a policy that I put on the domain and I got distracted and forgot to deny admin to this policy.  

This is a doozy.

Help.

Karen
0
Comment
Question by:klsphotos
7 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40420094
What policy have you applied/denied?

Can you user another domain admin account to amend this policy?
0
 
LVL 19

Expert Comment

by:Kash
ID: 40420098
are you working remotely  or locally ?

if remotely then if you have another computer you can access, and then remote using RDP and see if you can log on that way and add exception for domain admins.
0
 

Author Comment

by:klsphotos
ID: 40420116
I do not recall if I applied it to user or computer but I moved my system to the computer ou and my account to the user our and refreshed policy and restarted and it's still there.

All systems here on the domain and users got the policy.  I did create a additional admin account and the same thing.  it is denied.  

I have NEVER done anything like this and am stumped.  It's set on the root of the domain, but not in the default domain policy so I need to get in.  I thought about changing the registry keys on my system since I can't edit gpedit to over ride it, I could do it manually but I do not know which registry setting that is.

I also read that I could rename mmc.msc and then run it from a command line but that hasn't been successful either.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Accepted Solution

by:
Rizzle earned 500 total points
ID: 40420129
You can try a few things:

1. Go to %root\windows\sytems32 and rename the GroupPolicy folder to GroupPolicy.old
2. Create a new folder called GroupPolicy
3. create folders inside named Machine and User (with nothing inside)
4.Restart server

Maybe this may help?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/97c38692-1482-4b35-953f-04eb06fc82a1/locked-myself-out-of-gpeditmsc-cant-access-anything
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 40420198
This is what I would try first

Reset All User Permissions To Default

http://www.bleepingcomputer.com/forums/t/509474/reset-all-user-permissions-to-default/
0
 

Assisted Solution

by:klsphotos
klsphotos earned 0 total points
ID: 40420233
I got it, Roshan link was partially responsible.

I am not willing to change the name of the folders on the whole domain for this, I am not sure of the implications and we have several sites that policy syncs too.  I worked to hard to get all of that working, I'm not doing that.  If I can change the settings on my local system they will override the domain policy.

I can't reset all permissions to default, this is a whole domain.

What I did do and still can't believe that it worked is I went into the registry and went to HKCU\Software\Policies on my system.   I changed all the software restrictions policies which had a value of 1 to value of 0 and was concerned because if I restarted, the same policy would apply again so I didn't restart and magically it worked and I was able to open it, remove the policy and force gp update.  

How crazy is that that that is all you have to do to change policy for the domain on your local system?  Better make sure I block regedit from users as well and not forget to deny domain next time and never again put it on the default domain level ;).

Thank you everyone!
0
 

Author Closing Comment

by:klsphotos
ID: 40430077
I followed the link provided and it showed me the registry paths that I could edit to get back into what was restricted.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now