Solved

Locked out of Group Policy

Posted on 2014-11-03
7
106 Views
Last Modified: 2014-11-08
Hi All,

I did a really dumb thing and I am hoping you can help me.

I locked myself out of gpedit.msc and gpmc.msc.

The lockout is coming from a policy that I put on the domain and I got distracted and forgot to deny admin to this policy.  

This is a doozy.

Help.

Karen
0
Comment
Question by:klsphotos
7 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40420094
What policy have you applied/denied?

Can you user another domain admin account to amend this policy?
0
 
LVL 19

Expert Comment

by:Kash
ID: 40420098
are you working remotely  or locally ?

if remotely then if you have another computer you can access, and then remote using RDP and see if you can log on that way and add exception for domain admins.
0
 

Author Comment

by:klsphotos
ID: 40420116
I do not recall if I applied it to user or computer but I moved my system to the computer ou and my account to the user our and refreshed policy and restarted and it's still there.

All systems here on the domain and users got the policy.  I did create a additional admin account and the same thing.  it is denied.  

I have NEVER done anything like this and am stumped.  It's set on the root of the domain, but not in the default domain policy so I need to get in.  I thought about changing the registry keys on my system since I can't edit gpedit to over ride it, I could do it manually but I do not know which registry setting that is.

I also read that I could rename mmc.msc and then run it from a command line but that hasn't been successful either.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Accepted Solution

by:
Rizzle earned 500 total points
ID: 40420129
You can try a few things:

1. Go to %root\windows\sytems32 and rename the GroupPolicy folder to GroupPolicy.old
2. Create a new folder called GroupPolicy
3. create folders inside named Machine and User (with nothing inside)
4.Restart server

Maybe this may help?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/97c38692-1482-4b35-953f-04eb06fc82a1/locked-myself-out-of-gpeditmsc-cant-access-anything
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40420198
This is what I would try first

Reset All User Permissions To Default

http://www.bleepingcomputer.com/forums/t/509474/reset-all-user-permissions-to-default/
0
 

Assisted Solution

by:klsphotos
klsphotos earned 0 total points
ID: 40420233
I got it, Roshan link was partially responsible.

I am not willing to change the name of the folders on the whole domain for this, I am not sure of the implications and we have several sites that policy syncs too.  I worked to hard to get all of that working, I'm not doing that.  If I can change the settings on my local system they will override the domain policy.

I can't reset all permissions to default, this is a whole domain.

What I did do and still can't believe that it worked is I went into the registry and went to HKCU\Software\Policies on my system.   I changed all the software restrictions policies which had a value of 1 to value of 0 and was concerned because if I restarted, the same policy would apply again so I didn't restart and magically it worked and I was able to open it, remove the policy and force gp update.  

How crazy is that that that is all you have to do to change policy for the domain on your local system?  Better make sure I block regedit from users as well and not forget to deny domain next time and never again put it on the default domain level ;).

Thank you everyone!
0
 

Author Closing Comment

by:klsphotos
ID: 40430077
I followed the link provided and it showed me the registry paths that I could edit to get back into what was restricted.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now