Domain Policy

[Guest]

I have had set up a policy to block all users with any rights other then the
basic ones. But by mistake I have had applied to all, instead of the group,
and now I can do any changes to it myself, even though I am logged in as the
Administrator.

Is there any way, I can get it reset back to original. I don't have access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Meinolf Weber]

Hello Shabbir,

You do not have an additional account that is member of the domain/enterprise
admins or maybe group policy admins?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Guest]

I don't.. Have put the rights on the top level.. And so couldn't do much..
Found the following link and ran the file.. Restarting it.. So lets hope if
works.

-----------------------------------------------------------------------------------------
You should perform the restore on your PDC.
W2K, use recreatedefpol.exe download here
http://download.microsoft.com/download/6/1/8/618ecc9d-2edd-42fe-9a53-7f1971154697/RecreateDefpol.EXE
W2K3, use DCGPOFIX.exe comes with OS

recreatedefpol will restore both default domain and default domain
controller policies.
dcgpofix allows you to do one or the other or both.

You must re-run Exchange "setup.exe /domainprep" if you restore the default
domain controller policy.

Thats it.

Be sure you setup your company password and account lockout policies as soon
as you can after the restore.

 

[Guest]

No, didn't work the previous step.. Any other thing which I can do to get it
back to default policy?

 

[Meinolf Weber]

Hello Shabbir,

Do you have a system state backup from before the change?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Guest]

Unfortunately not..

Hello Shabbir,

Do you have a system state backup from before the change?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Steven L Umbach]

Try logging onto a domain computer [non critical workstation] as domain
admin and see if you can run regedit or if you can run a tool called Dial a
Fix from a flash drive or such as it can detect and remove many Group Policy
restrictions. If that works then you can use MMC snapin for Group Policy to
manage the Group Policy on a domain controller to make changes to undo the
harm. Otherwise if you can use regedit look for and delete the Group Policy
restrictions seen under the keys listed below which will buy you time to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies

 

[Guest]

Hi Steven,

I can't get on the Registry locally on the server as well. But can do it
remotely from another server, which is not a Domain Controller. I tried
searching my policy in there, but couldn't find it in there. Is there any
other place I can find it?

Thanks for your help.

Best Regards,

Shabbir

Try logging onto a domain computer [non critical workstation] as domain
admin and see if you can run regedit or if you can run a tool called Dial a
Fix from a flash drive or such as it can detect and remove many Group Policy
restrictions. If that works then you can use MMC snapin for Group Policy to
manage the Group Policy on a domain controller to make changes to undo the
harm. Otherwise if you can use regedit look for and delete the Group Policy
restrictions seen under the keys listed below which will buy you time to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies

I have had set up a policy to block all users with any rights other then
the
basic ones. But by mistake I have had applied to all, instead of the
group,
and now I can do any changes to it myself, even though I am logged in as
the
Administrator.

Is there any way, I can get it reset back to original. I don't have access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Steven L Umbach]

First from the server you can access the registry remotely see if you can
manage Group Policy remotely to undo your changes. While on that server
enter MMC in the run box to open Management Console and then add the Group
Policy Object Editor and instead of local computer select another computer -
browse and browse for and select the domain controller and you may then be
able to edit domain level Group Policy.

If that does not work use the registry editor. You are not looking for the
policy itself but you want to edit/remove the registry keys that are locking
you out to give you a change to then edit Group Policy to remove those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if you see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items listed
{numbers and letters}either remove the {numbers and letters}or change the
restrict run values to 0. After that you should be able to open access ADUC
and edit Group Policy though you may need to logoff/logon the domain
controller or reboot the server first.

Group Policy enforces those registry settings and the next time Group Policy
is applied those registry entries will return which is why it is important
that you edit Group Policy ASAP after gaining access starting with those
settings that locked you out..

Steve

Hi Steven,

I can't get on the Registry locally on the server as well. But can do it
remotely from another server, which is not a Domain Controller. I tried
searching my policy in there, but couldn't find it in there. Is there any
other place I can find it?

Thanks for your help.

Best Regards,

Shabbir

Try logging onto a domain computer [non critical workstation] as domain
admin and see if you can run regedit or if you can run a tool called Dial
a
Fix from a flash drive or such as it can detect and remove many Group
Policy
restrictions. If that works then you can use MMC snapin for Group Policy
to
manage the Group Policy on a domain controller to make changes to undo
the
harm. Otherwise if you can use regedit look for and delete the Group
Policy
restrictions seen under the keys listed below which will buy you time to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies



in
message news:[email protected]...

I have had set up a policy to block all users with any rights other then
the
basic ones. But by mistake I have had applied to all, instead of the
group,
and now I can do any changes to it myself, even though I am logged in
as
the
Administrator.

Is there any way, I can get it reset back to original. I don't have
access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Guest]

Hi Steve,

I found the MMC key in Registry under HKLM\Software\Microsoft\MMC, but there
is no place where it says to disable access.. I only has {........} sub keys
for different applications and wasn't sure how to enable them?

Any help is really appreciated.

Best Regards,

Shabbir

First from the server you can access the registry remotely see if you can
manage Group Policy remotely to undo your changes. While on that server
enter MMC in the run box to open Management Console and then add the Group
Policy Object Editor and instead of local computer select another computer -
browse and browse for and select the domain controller and you may then be
able to edit domain level Group Policy.

If that does not work use the registry editor. You are not looking for the
policy itself but you want to edit/remove the registry keys that are locking
you out to give you a change to then edit Group Policy to remove those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if you see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items listed
{numbers and letters}either remove the {numbers and letters}or change the
restrict run values to 0. After that you should be able to open access ADUC
and edit Group Policy though you may need to logoff/logon the domain
controller or reboot the server first.

Group Policy enforces those registry settings and the next time Group Policy
is applied those registry entries will return which is why it is important
that you edit Group Policy ASAP after gaining access starting with those
settings that locked you out..

Steve

Hi Steven,

I can't get on the Registry locally on the server as well. But can do it
remotely from another server, which is not a Domain Controller. I tried
searching my policy in there, but couldn't find it in there. Is there any
other place I can find it?

Thanks for your help.

Best Regards,

Shabbir

Try logging onto a domain computer [non critical workstation] as domain
admin and see if you can run regedit or if you can run a tool called Dial
a
Fix from a flash drive or such as it can detect and remove many Group
Policy
restrictions. If that works then you can use MMC snapin for Group Policy
to
manage the Group Policy on a domain controller to make changes to undo
the
harm. Otherwise if you can use regedit look for and delete the Group
Policy
restrictions seen under the keys listed below which will buy you time to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies



in
message I have had set up a policy to block all users with any rights other then
the
basic ones. But by mistake I have had applied to all, instead of the
group,
and now I can do any changes to it myself, even though I am logged in
as
the
Administrator.

Is there any way, I can get it reset back to original. I don't have
access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Steven L Umbach]

You can delete those subkeys or change the value to 0 as I believe you will
see they are currently 1. They are preventing you from accessing your MMC
snapins. You may have to logoff and logon the DC when done for the changes
to take.

Steve

Hi Steve,

I found the MMC key in Registry under HKLM\Software\Microsoft\MMC, but
there
is no place where it says to disable access.. I only has {........} sub
keys
for different applications and wasn't sure how to enable them?

Any help is really appreciated.

Best Regards,

Shabbir

First from the server you can access the registry remotely see if you can
manage Group Policy remotely to undo your changes. While on that server
enter MMC in the run box to open Management Console and then add the
Group
Policy Object Editor and instead of local computer select another
computer -
browse and browse for and select the domain controller and you may then
be
able to edit domain level Group Policy.

If that does not work use the registry editor. You are not looking for
the
policy itself but you want to edit/remove the registry keys that are
locking
you out to give you a change to then edit Group Policy to remove those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if you see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items listed
{numbers and letters}either remove the {numbers and letters}or change the
restrict run values to 0. After that you should be able to open access
ADUC
and edit Group Policy though you may need to logoff/logon the domain
controller or reboot the server first.

Group Policy enforces those registry settings and the next time Group
Policy
is applied those registry entries will return which is why it is
important
that you edit Group Policy ASAP after gaining access starting with those
settings that locked you out..

Steve

Hi Steven,

I can't get on the Registry locally on the server as well. But can do
it
remotely from another server, which is not a Domain Controller. I tried
searching my policy in there, but couldn't find it in there. Is there
any
other place I can find it?

Thanks for your help.

Best Regards,

Shabbir

:

Try logging onto a domain computer [non critical workstation] as
domain
admin and see if you can run regedit or if you can run a tool called
Dial
a
Fix from a flash drive or such as it can detect and remove many Group
Policy
restrictions. If that works then you can use MMC snapin for Group
Policy
to
manage the Group Policy on a domain controller to make changes to undo
the
harm. Otherwise if you can use regedit look for and delete the Group
Policy
restrictions seen under the keys listed below which will buy you time
to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies



"Shabbir Jadliwala" <Shabbir (e-mail address removed)>
wrote
in
message I have had set up a policy to block all users with any rights other
then
the
basic ones. But by mistake I have had applied to all, instead of the
group,
and now I can do any changes to it myself, even though I am logged
in
as
the
Administrator.

Is there any way, I can get it reset back to original. I don't have
access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Guest]

Hi Steven,

Thanks very much.. I finally got that fixed.. Couldn't find the key for MMC,
but found one, which would allow me to use Registry locally, and from there
on, I was able to find Microsoft Management Console and enable the AD and got
the policy removed.

Well, it was a good learning experience.. Never changed so many registry
keys, specially on the PDC.

Thanks again,

Shabbir

You can delete those subkeys or change the value to 0 as I believe you will
see they are currently 1. They are preventing you from accessing your MMC
snapins. You may have to logoff and logon the DC when done for the changes
to take.

Steve

Hi Steve,

I found the MMC key in Registry under HKLM\Software\Microsoft\MMC, but
there
is no place where it says to disable access.. I only has {........} sub
keys
for different applications and wasn't sure how to enable them?

Any help is really appreciated.

Best Regards,

Shabbir

First from the server you can access the registry remotely see if you can
manage Group Policy remotely to undo your changes. While on that server
enter MMC in the run box to open Management Console and then add the
Group
Policy Object Editor and instead of local computer select another
computer -
browse and browse for and select the domain controller and you may then
be
able to edit domain level Group Policy.

If that does not work use the registry editor. You are not looking for
the
policy itself but you want to edit/remove the registry keys that are
locking
you out to give you a change to then edit Group Policy to remove those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if you see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items listed
{numbers and letters}either remove the {numbers and letters}or change the
restrict run values to 0. After that you should be able to open access
ADUC
and edit Group Policy though you may need to logoff/logon the domain
controller or reboot the server first.

Group Policy enforces those registry settings and the next time Group
Policy
is applied those registry entries will return which is why it is
important
that you edit Group Policy ASAP after gaining access starting with those
settings that locked you out..

Steve


message Hi Steven,

I can't get on the Registry locally on the server as well. But can do
it
remotely from another server, which is not a Domain Controller. I tried
searching my policy in there, but couldn't find it in there. Is there
any
other place I can find it?

Thanks for your help.

Best Regards,

Shabbir

:

Try logging onto a domain computer [non critical workstation] as
domain
admin and see if you can run regedit or if you can run a tool called
Dial
a
Fix from a flash drive or such as it can detect and remove many Group
Policy
restrictions. If that works then you can use MMC snapin for Group
Policy
to
manage the Group Policy on a domain controller to make changes to undo
the
harm. Otherwise if you can use regedit look for and delete the Group
Policy
restrictions seen under the keys listed below which will buy you time
to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies



"Shabbir Jadliwala" <Shabbir (e-mail address removed)>
wrote
in
message I have had set up a policy to block all users with any rights other
then
the
basic ones. But by mistake I have had applied to all, instead of the
group,
and now I can do any changes to it myself, even though I am logged
in
as
the
Administrator.

Is there any way, I can get it reset back to original. I don't have
access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Steven L Umbach]

Fantastic and great job. Thanks for getting back to me and letting us know
what worked. Now be careful with Group Policy and let us know if you have
more questions about configuring Group Policy!

Steve

Hi Steven,

Thanks very much.. I finally got that fixed.. Couldn't find the key for
MMC,
but found one, which would allow me to use Registry locally, and from
there
on, I was able to find Microsoft Management Console and enable the AD and
got
the policy removed.

Well, it was a good learning experience.. Never changed so many registry
keys, specially on the PDC.

Thanks again,

Shabbir

You can delete those subkeys or change the value to 0 as I believe you
will
see they are currently 1. They are preventing you from accessing your MMC
snapins. You may have to logoff and logon the DC when done for the
changes
to take.

Steve

Hi Steve,

I found the MMC key in Registry under HKLM\Software\Microsoft\MMC, but
there
is no place where it says to disable access.. I only has {........} sub
keys
for different applications and wasn't sure how to enable them?

Any help is really appreciated.

Best Regards,

Shabbir

:

First from the server you can access the registry remotely see if you
can
manage Group Policy remotely to undo your changes. While on that
server
enter MMC in the run box to open Management Console and then add the
Group
Policy Object Editor and instead of local computer select another
computer -
browse and browse for and select the domain controller and you may
then
be
able to edit domain level Group Policy.

If that does not work use the registry editor. You are not looking for
the
policy itself but you want to edit/remove the registry keys that are
locking
you out to give you a change to then edit Group Policy to remove those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if you
see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items
listed
{numbers and letters}either remove the {numbers and letters}or change
the
restrict run values to 0. After that you should be able to open access
ADUC
and edit Group Policy though you may need to logoff/logon the domain
controller or reboot the server first.

Group Policy enforces those registry settings and the next time Group
Policy
is applied those registry entries will return which is why it is
important
that you edit Group Policy ASAP after gaining access starting with
those
settings that locked you out..

Steve


in
message Hi Steven,

I can't get on the Registry locally on the server as well. But can
do
it
remotely from another server, which is not a Domain Controller. I
tried
searching my policy in there, but couldn't find it in there. Is
there
any
other place I can find it?

Thanks for your help.

Best Regards,

Shabbir

:

Try logging onto a domain computer [non critical workstation] as
domain
admin and see if you can run regedit or if you can run a tool
called
Dial
a
Fix from a flash drive or such as it can detect and remove many
Group
Policy
restrictions. If that works then you can use MMC snapin for Group
Policy
to
manage the Group Policy on a domain controller to make changes to
undo
the
harm. Otherwise if you can use regedit look for and delete the
Group
Policy
restrictions seen under the keys listed below which will buy you
time
to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy
Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies



"Shabbir Jadliwala" <Shabbir (e-mail address removed)>
wrote
in
message I have had set up a policy to block all users with any rights
other
then
the
basic ones. But by mistake I have had applied to all, instead of
the
group,
and now I can do any changes to it myself, even though I am
logged
in
as
the
Administrator.

Is there any way, I can get it reset back to original. I don't
have
access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Meinolf Weber]

Hello Steven,

Also thanks Steve, followed the complete posting and learned a lot.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Fantastic and great job. Thanks for getting back to me and letting us
know what worked. Now be careful with Group Policy and let us know if
you have more questions about configuring Group Policy!

Steve

Hi Steven,

Thanks very much.. I finally got that fixed.. Couldn't find the key
for
MMC,
but found one, which would allow me to use Registry locally, and from
there
on, I was able to find Microsoft Management Console and enable the AD
and
got
the policy removed.
Well, it was a good learning experience.. Never changed so many
registry keys, specially on the PDC.

Thanks again,

Shabbir

You can delete those subkeys or change the value to 0 as I believe
you
will
see they are currently 1. They are preventing you from accessing
your MMC
snapins. You may have to logoff and logon the DC when done for the
changes
to take.
Steve

"Shabbir Jadliwala" <[email protected]>
wrote in message

Hi Steve,

I found the MMC key in Registry under HKLM\Software\Microsoft\MMC,
but
there
is no place where it says to disable access.. I only has {........}
sub
keys
for different applications and wasn't sure how to enable them?
Any help is really appreciated.

Best Regards,

Shabbir

:

First from the server you can access the registry remotely see if
you
can
manage Group Policy remotely to undo your changes. While on that
server
enter MMC in the run box to open Management Console and then add
the
Group
Policy Object Editor and instead of local computer select another
computer -
browse and browse for and select the domain controller and you may
then
be
able to edit domain level Group Policy.
If that does not work use the registry editor. You are not looking
for
the
policy itself but you want to edit/remove the registry keys that
are
locking
you out to give you a change to then edit Group Policy to remove
those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if
you
see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items
listed
{numbers and letters}either remove the {numbers and letters}or
change
the
restrict run values to 0. After that you should be able to open
access
ADUC
and edit Group Policy though you may need to logoff/logon the
domain
controller or reboot the server first.
Group Policy enforces those registry settings and the next time
Group
Policy
is applied those registry entries will return which is why it is
important
that you edit Group Policy ASAP after gaining access starting with
those
settings that locked you out..
Steve

"Shabbir Jadliwala" <[email protected]>
wrote
in
message Hi Steven,

I can't get on the Registry locally on the server as well. But
can
do
it
remotely from another server, which is not a Domain Controller. I
tried
searching my policy in there, but couldn't find it in there. Is
there
any
other place I can find it?
Thanks for your help.

Best Regards,

Shabbir

:

Try logging onto a domain computer [non critical workstation] as
domain
admin and see if you can run regedit or if you can run a tool
called
Dial
a
Fix from a flash drive or such as it can detect and remove many
Group
Policy
restrictions. If that works then you can use MMC snapin for
Group
Policy
to
manage the Group Policy on a domain controller to make changes
to
undo
the
harm. Otherwise if you can use regedit look for and delete the
Group
Policy
restrictions seen under the keys listed below which will buy you
time
to
make changes to Group Policy.
Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-
fix.shtml -- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy
Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies
"Shabbir Jadliwala" <Shabbir
(e-mail address removed)>
wrote
in
message
I have had set up a policy to block all users with any rights
other
then
the
basic ones. But by mistake I have had applied to all, instead
of
the
group,
and now I can do any changes to it myself, even though I am
logged
in
as
the
Administrator.
Is there any way, I can get it reset back to original. I don't
have
access
to my local drives or command prompt or AD or anything right
now.
Any help would be really appreciated.

Best Regards,

Shabbir

 

[Guest]

Thanks steve..But I enjoyed the pain to get it fixed.. As they say.. You
learn from your mistakes.. Thanks agian..

Fantastic and great job. Thanks for getting back to me and letting us know
what worked. Now be careful with Group Policy and let us know if you have
more questions about configuring Group Policy!

Steve

Hi Steven,

Thanks very much.. I finally got that fixed.. Couldn't find the key for
MMC,
but found one, which would allow me to use Registry locally, and from
there
on, I was able to find Microsoft Management Console and enable the AD and
got
the policy removed.

Well, it was a good learning experience.. Never changed so many registry
keys, specially on the PDC.

Thanks again,

Shabbir

You can delete those subkeys or change the value to 0 as I believe you
will
see they are currently 1. They are preventing you from accessing your MMC
snapins. You may have to logoff and logon the DC when done for the
changes
to take.

Steve


message Hi Steve,

I found the MMC key in Registry under HKLM\Software\Microsoft\MMC, but
there
is no place where it says to disable access.. I only has {........} sub
keys
for different applications and wasn't sure how to enable them?

Any help is really appreciated.

Best Regards,

Shabbir

:

First from the server you can access the registry remotely see if you
can
manage Group Policy remotely to undo your changes. While on that
server
enter MMC in the run box to open Management Console and then add the
Group
Policy Object Editor and instead of local computer select another
computer -
browse and browse for and select the domain controller and you may
then
be
able to edit domain level Group Policy.

If that does not work use the registry editor. You are not looking for
the
policy itself but you want to edit/remove the registry keys that are
locking
you out to give you a change to then edit Group Policy to remove those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if you
see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items
listed
{numbers and letters}either remove the {numbers and letters}or change
the
restrict run values to 0. After that you should be able to open access
ADUC
and edit Group Policy though you may need to logoff/logon the domain
controller or reboot the server first.

Group Policy enforces those registry settings and the next time Group
Policy
is applied those registry entries will return which is why it is
important
that you edit Group Policy ASAP after gaining access starting with
those
settings that locked you out..

Steve


in
message Hi Steven,

I can't get on the Registry locally on the server as well. But can
do
it
remotely from another server, which is not a Domain Controller. I
tried
searching my policy in there, but couldn't find it in there. Is
there
any
other place I can find it?

Thanks for your help.

Best Regards,

Shabbir

:

Try logging onto a domain computer [non critical workstation] as
domain
admin and see if you can run regedit or if you can run a tool
called
Dial
a
Fix from a flash drive or such as it can detect and remove many
Group
Policy
restrictions. If that works then you can use MMC snapin for Group
Policy
to
manage the Group Policy on a domain controller to make changes to
undo
the
harm. Otherwise if you can use regedit look for and delete the
Group
Policy
restrictions seen under the keys listed below which will buy you
time
to
make changes to Group Policy.

Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-fix.shtml
-- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy
Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies



"Shabbir Jadliwala" <Shabbir (e-mail address removed)>
wrote
in
message I have had set up a policy to block all users with any rights
other
then
the
basic ones. But by mistake I have had applied to all, instead of
the
group,
and now I can do any changes to it myself, even though I am
logged
in
as
the
Administrator.

Is there any way, I can get it reset back to original. I don't
have
access
to my local drives or command prompt or AD or anything right now.

Any help would be really appreciated.

Best Regards,

Shabbir

 

[Steven L Umbach]

Cool. I learn a lot from newsgroup posts also. To me that is what it is all
about sharing and learning.

Steve

Hello Steven,

Also thanks Steve, followed the complete posting and learned a lot.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.

Fantastic and great job. Thanks for getting back to me and letting us
know what worked. Now be careful with Group Policy and let us know if
you have more questions about configuring Group Policy!

Steve

Hi Steven,

Thanks very much.. I finally got that fixed.. Couldn't find the key
for
MMC,
but found one, which would allow me to use Registry locally, and from
there
on, I was able to find Microsoft Management Console and enable the AD
and
got
the policy removed.
Well, it was a good learning experience.. Never changed so many
registry keys, specially on the PDC.

Thanks again,

Shabbir

:

You can delete those subkeys or change the value to 0 as I believe
you
will
see they are currently 1. They are preventing you from accessing
your MMC
snapins. You may have to logoff and logon the DC when done for the
changes
to take.
Steve

"Shabbir Jadliwala" <[email protected]>
wrote in message

Hi Steve,

I found the MMC key in Registry under HKLM\Software\Microsoft\MMC,
but
there
is no place where it says to disable access.. I only has {........}
sub
keys
for different applications and wasn't sure how to enable them?
Any help is really appreciated.

Best Regards,

Shabbir

:

First from the server you can access the registry remotely see if
you
can
manage Group Policy remotely to undo your changes. While on that
server
enter MMC in the run box to open Management Console and then add
the
Group
Policy Object Editor and instead of local computer select another
computer -
browse and browse for and select the domain controller and you may
then
be
able to edit domain level Group Policy.
If that does not work use the registry editor. You are not looking
for
the
policy itself but you want to edit/remove the registry keys that
are
locking
you out to give you a change to then edit Group Policy to remove
those
settings. You want to look for registry keys/entries under
HKCU\Software\Policies\Microsoft\Windows such as system where if
you
see
DisableCMD you want to delete that dword entry. Under
HKCU\Software\Policies\Microsoft\Windows\MMC if you see any items
listed
{numbers and letters}either remove the {numbers and letters}or
change
the
restrict run values to 0. After that you should be able to open
access
ADUC
and edit Group Policy though you may need to logoff/logon the
domain
controller or reboot the server first.
Group Policy enforces those registry settings and the next time
Group
Policy
is applied those registry entries will return which is why it is
important
that you edit Group Policy ASAP after gaining access starting with
those
settings that locked you out..
Steve

"Shabbir Jadliwala" <[email protected]>
wrote
in
message Hi Steven,

I can't get on the Registry locally on the server as well. But
can
do
it
remotely from another server, which is not a Domain Controller. I
tried
searching my policy in there, but couldn't find it in there. Is
there
any
other place I can find it?
Thanks for your help.

Best Regards,

Shabbir

:

Try logging onto a domain computer [non critical workstation] as
domain
admin and see if you can run regedit or if you can run a tool
called
Dial
a
Fix from a flash drive or such as it can detect and remove many
Group
Policy
restrictions. If that works then you can use MMC snapin for
Group
Policy
to
manage the Group Policy on a domain controller to make changes
to
undo
the
harm. Otherwise if you can use regedit look for and delete the
Group
Policy
restrictions seen under the keys listed below which will buy you
time
to
make changes to Group Policy.
Steve

http://www.softpedia.com/get/System/System-Miscellaneous/Dial-a-
fix.shtml -- Dial a fix

Table 1 Approved Registry Key Locations for Group Policy
Settings

For Computer Policy Settings: For User Policy Settings:
HKLM\Software\Policies (The preferred location)
HKCU\Software\Policies (The preferred location)

HKLM\Software\Microsoft\Windows
\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows
\CurrentVersion\Policies
"Shabbir Jadliwala" <Shabbir
(e-mail address removed)>
wrote
in
message
I have had set up a policy to block all users with any rights
other
then
the
basic ones. But by mistake I have had applied to all, instead
of
the
group,
and now I can do any changes to it myself, even though I am
logged
in
as
the
Administrator.
Is there any way, I can get it reset back to original. I don't
have
access
to my local drives or command prompt or AD or anything right
now.
Any help would be really appreciated.

Best Regards,

Shabbir