Solved

Locked out of Group Policy

Posted on 2014-11-03
7
112 Views
Last Modified: 2014-11-08
Hi All,

I did a really dumb thing and I am hoping you can help me.

I locked myself out of gpedit.msc and gpmc.msc.

The lockout is coming from a policy that I put on the domain and I got distracted and forgot to deny admin to this policy.  

This is a doozy.

Help.

Karen
0
Comment
Question by:klsphotos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40420094
What policy have you applied/denied?

Can you user another domain admin account to amend this policy?
0
 
LVL 19

Expert Comment

by:Kash
ID: 40420098
are you working remotely  or locally ?

if remotely then if you have another computer you can access, and then remote using RDP and see if you can log on that way and add exception for domain admins.
0
 

Author Comment

by:klsphotos
ID: 40420116
I do not recall if I applied it to user or computer but I moved my system to the computer ou and my account to the user our and refreshed policy and restarted and it's still there.

All systems here on the domain and users got the policy.  I did create a additional admin account and the same thing.  it is denied.  

I have NEVER done anything like this and am stumped.  It's set on the root of the domain, but not in the default domain policy so I need to get in.  I thought about changing the registry keys on my system since I can't edit gpedit to over ride it, I could do it manually but I do not know which registry setting that is.

I also read that I could rename mmc.msc and then run it from a command line but that hasn't been successful either.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 13

Accepted Solution

by:
Rizzle earned 500 total points
ID: 40420129
You can try a few things:

1. Go to %root\windows\sytems32 and rename the GroupPolicy folder to GroupPolicy.old
2. Create a new folder called GroupPolicy
3. create folders inside named Machine and User (with nothing inside)
4.Restart server

Maybe this may help?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/97c38692-1482-4b35-953f-04eb06fc82a1/locked-myself-out-of-gpeditmsc-cant-access-anything
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40420198
This is what I would try first

Reset All User Permissions To Default

http://www.bleepingcomputer.com/forums/t/509474/reset-all-user-permissions-to-default/
0
 

Assisted Solution

by:klsphotos
klsphotos earned 0 total points
ID: 40420233
I got it, Roshan link was partially responsible.

I am not willing to change the name of the folders on the whole domain for this, I am not sure of the implications and we have several sites that policy syncs too.  I worked to hard to get all of that working, I'm not doing that.  If I can change the settings on my local system they will override the domain policy.

I can't reset all permissions to default, this is a whole domain.

What I did do and still can't believe that it worked is I went into the registry and went to HKCU\Software\Policies on my system.   I changed all the software restrictions policies which had a value of 1 to value of 0 and was concerned because if I restarted, the same policy would apply again so I didn't restart and magically it worked and I was able to open it, remove the policy and force gp update.  

How crazy is that that that is all you have to do to change policy for the domain on your local system?  Better make sure I block regedit from users as well and not forget to deny domain next time and never again put it on the default domain level ;).

Thank you everyone!
0
 

Author Closing Comment

by:klsphotos
ID: 40430077
I followed the link provided and it showed me the registry paths that I could edit to get back into what was restricted.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question