Locked out of Group Policy Snap-In

D

Derik

One of my technicians edited the default domain policy
instead of one of the user policies and from what I
gather, set the domain GPO to restrict access to only
explicity allowed MMC snap-ins. This wouldn't be so bad
except the group policy snap-in was not explicity
allowed. Even if I log in on the DC as myself (enterprise
admin), I even enabled the administrator account and
couldn't do it there either. This has locked everyone out
of everything that uses MMC (even device manager!)

How can I get around this?
 
K

Ken

I'm not sure if it works like NTFS permissions, but can
you take ownership of the OU or domain and re-establish
the permissions?

Ken
 
D

Derik

I don't think you understand what I'm saying. In group
policy you can allow or disallow MMC Snap-ins. He changed
the default domain policy to where I can't even ADD the
snap in to an MMC console. My personal MMC that already
had it included (along with ADU/C's and other useful
snapins)

The problem is I can't get IN to the group policy snap-in
to change group policy to allow me into the snap in.
 
G

Gary Mudgett [MSFT]

If you can still edit the registry (even remotely), you can delete the
following key to remove the policy restrictions for the MMC snap-ins. Then
you should be able to open the group policy snap-in to correct the policy.

HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC

If remotely then it would by HKEY_Users\<SID of the
user>\Software\Policies\Microsoft\MMC

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Derik

Thank you but I was able to only get into
users/computers , sites and domains so I went in and put
my user account in a new OU and blocked policy
inheritance. But had that not worked or had he not
explicitly allowed those 2 snap ins I would have had to
use your registry key.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy & MMC restictions 2
Group Policy applied to administrator 2
Bypassing the Group Policy 1
Restricting GPO snap-ins and filtering the policy 1
Group policy Snap-in Inaccesible 1
Using the 2003 Group Policy tool 1
Restricting snap-ins 5
MMC Snap In Problems 1

Top