Disabled mmc using default domain policy


Fran King

I've disabled the use of mmc and run facility using the
default domain policy - not thinking it would apply to the
Administrators group - which obviously it does.

I can't access 'active directory users and computers' to
change the policy back.

Any ideas how to solve this without re-building the server?

Could I boot into safe mode and do something there?

Is there a way of creating a new administrators account
that is not subject to this policy?

Any help much appreciated





As you have now learned, It's not a good idea to edit the
default domain policy! I always setup an OU below the root
and work from there, leaving an administ96587 account in
the root.

Any new user you create will be placed under the tree and
thus refused access to the mmc snap-in. If you need to
save that tree, you can probably install a Windows 2000
domain controller on a new machine, then access the other
tree through there, and of course on the new server you
would have access to the MMC. Just a thought. Send me an
email and let me know how it turns out.




The easiest solution to this is to use "gpedit.msc gpcomputer:
xxx.xxx.xxx.xxx" where XXX is the IP address or full domain name
(dc1.mydomain.com) from another computer on the network (doesn't even have
to be in the domain as long as you have an account on it with a matching
username/password, i.e, change the password of the Administrator account on
the PC you're working from or use the username/password of another user with
admin priveleges)

I managed to lock myself out of MMC yesterday and used that to correct the

Let me know how it works for you!

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question