Help! My default domain group policy has become corrupt and it is disallowing ALL .exe files from running

I have the cryptolocker blocking rules in place, blocking access from the temp directories, but somehow the policy has become corrupt and is now disallowing all exe files from running.
The SBS 2008 box and other workstations are slowly becoming unusable
I can't run mmc regedit, gpedit or anything else on the server as they are blocked.

I cannot run dcgpofix as it is an exe too, and block by this corrupt policy

How can I fix this before every machine quits working?
I can run regedit on a workstation and have attached to the remote registry of the server
LVL 26
Nick67Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:
Hi,

Can't even you open gpmc and revert back the changes? You could try to restore the sysvol from previous working backup.

If you are able to open command prompt then try this command

dcgpofix /target:Domain

PS - This will delete all the default domain policy settings. Usually this should perform as last resort.

Hope this helps.
Nick67Author Commented:
MMC is an exe, and won't run
dcgpofix is an exe, and won't run.
No exe on the server will run

At the moment I can still run regedit on workstations, if that helps
Radhakrishnan RSenior Technical LeadCommented:
I would suggest to reboot the server and enter into DSRM mode. Try to replace the GPO (copy the GUID from working backup) and reboot into normal mode. See if that helps?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

kevinhsiehCommented:
Never implement changes in the default domain policy. Always make a new GPO for any changes you are considering. This also allows you to test against a machine/user in a test OU where the GPO is applied first to determine the behavior.
pgm554Commented:
>MMC is an exe, and won't run
dcgpofix is an exe, and won't run.
No exe on the server will run

Try renaming those .exe's with a different extension ( ie dcgpofix.joe) after you make a backup copy of them in a different directory.
I've used this when virus software wouldn't let an executable run to clean up an infection.
Nick67Author Commented:
Alas, software restrictions are very smart.
They are designed to keep that very kind of skullduggery from working.
I tried.
No Dice.
Nick67Author Commented:
The solution proved to be remote registry editing.
Since I could still run that, I could get at the domain controller's registry
I phoned MS Support for only the second time in my career

The bad settings go under
HKLM\SOFTWARE\Policies\Microsoft\Windows\safer

We deleted all subkeys under \codeidentifiers and left only the authenticodeenabled DWORD with a value of zero in place.

That freed up all .exe to run and allowed Group Policy management to run
We fixed the corrupt policies.
Three machines had become unbootable.
Those were booted to system repair disks and had the SOFTWARE registry hives loaded and similarly fixed.  They were then bootable.

After the server rebooted everything went back to normal

LESSON:  Don't modify the default domain GPO for any reason!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nick67Author Commented:
Being blocked from running .exe on the server is a tricky chicken-and-egg problem.
The trick was remote registry editing, and not any Expert suggestion.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.