Solved

Locked out of Group Policy

Posted on 2014-11-03
7
108 Views
Last Modified: 2014-11-08
Hi All,

I did a really dumb thing and I am hoping you can help me.

I locked myself out of gpedit.msc and gpmc.msc.

The lockout is coming from a policy that I put on the domain and I got distracted and forgot to deny admin to this policy.  

This is a doozy.

Help.

Karen
0
Comment
Question by:klsphotos
7 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40420094
What policy have you applied/denied?

Can you user another domain admin account to amend this policy?
0
 
LVL 19

Expert Comment

by:Kash
ID: 40420098
are you working remotely  or locally ?

if remotely then if you have another computer you can access, and then remote using RDP and see if you can log on that way and add exception for domain admins.
0
 

Author Comment

by:klsphotos
ID: 40420116
I do not recall if I applied it to user or computer but I moved my system to the computer ou and my account to the user our and refreshed policy and restarted and it's still there.

All systems here on the domain and users got the policy.  I did create a additional admin account and the same thing.  it is denied.  

I have NEVER done anything like this and am stumped.  It's set on the root of the domain, but not in the default domain policy so I need to get in.  I thought about changing the registry keys on my system since I can't edit gpedit to over ride it, I could do it manually but I do not know which registry setting that is.

I also read that I could rename mmc.msc and then run it from a command line but that hasn't been successful either.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 13

Accepted Solution

by:
Rizzle earned 500 total points
ID: 40420129
You can try a few things:

1. Go to %root\windows\sytems32 and rename the GroupPolicy folder to GroupPolicy.old
2. Create a new folder called GroupPolicy
3. create folders inside named Machine and User (with nothing inside)
4.Restart server

Maybe this may help?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/97c38692-1482-4b35-953f-04eb06fc82a1/locked-myself-out-of-gpeditmsc-cant-access-anything
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40420198
This is what I would try first

Reset All User Permissions To Default

http://www.bleepingcomputer.com/forums/t/509474/reset-all-user-permissions-to-default/
0
 

Assisted Solution

by:klsphotos
klsphotos earned 0 total points
ID: 40420233
I got it, Roshan link was partially responsible.

I am not willing to change the name of the folders on the whole domain for this, I am not sure of the implications and we have several sites that policy syncs too.  I worked to hard to get all of that working, I'm not doing that.  If I can change the settings on my local system they will override the domain policy.

I can't reset all permissions to default, this is a whole domain.

What I did do and still can't believe that it worked is I went into the registry and went to HKCU\Software\Policies on my system.   I changed all the software restrictions policies which had a value of 1 to value of 0 and was concerned because if I restarted, the same policy would apply again so I didn't restart and magically it worked and I was able to open it, remove the policy and force gp update.  

How crazy is that that that is all you have to do to change policy for the domain on your local system?  Better make sure I block regedit from users as well and not forget to deny domain next time and never again put it on the default domain level ;).

Thank you everyone!
0
 

Author Closing Comment

by:klsphotos
ID: 40430077
I followed the link provided and it showed me the registry paths that I could edit to get back into what was restricted.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question