Group policy setting

[Steven]

Recently, i used gpedit.msc to set some restriction in my
computer. However, the setting are not configured
properly.
Location: User Configuration\Windows Components\Microsoft
Management Console\
There are three options.

1)Restrict the user from entering author mode
2)Restrict users to the explicitly permitted list of snap-ins
3)Restricted/Permitted snap-ins

I enable the option in 1 and 2. Now, I can't access to
the policy because the snap-in is prohibited by the
policy.

I even restricted to RegEdit.exe using group policy

CAn anyone tell me how to access control to the group
policy again??

 

[Roger Abell]

Set a Deny on system32\GroupPolicy for the admin
account you wish to use to reverse these settings.
Log off and then log back in as that account.
Remove the Deny that was set above.
Now use the tools to edit local security policy
to undo the restrictions.

 

[John]

I have windows 2000 server with about 20 XP clients. I am
pulling my hair-out tring to figure this out.

The group policy doesn't work, The user are able to do
what ever they want. I deleted all the profiles and
created new account. They too can do what ever they want.

I'm at a loss..

Details:
The xp pro machine is joined to the domain.
I have a single domain and 1 DC. It's a simple setup.
All on the same network.
1 OU called staff
Staff is not part of any other OU
1 Policy for staff.
Users are only part of the domian users and staff OU

Thanks

 

[Jeremy]

Are they logging on to the domain controller or the individual machine?
Just because they are joined to the domain doesn't mean they aren't logging
into a local account that would override any network policies in place. At
the login prompt click the options and make sure the domain is the domain
controller not the local machine. If they are logging into the domain
controller not sure what else to try because I haven't had that problem. I
have about 15 XP clients logging into a 2000 server and have not had problem
with the policies. Even went a machine and tested them today to make sure.

 

[Roger Abell]

John,

What you indicate can be the result of many things,
including their use of machine local accounts that
Jeremy outlined.

If for example, they are using domain accounts, but
those accounts (or some group they are in such as
Domain Users) have been included in the machine
local Administrators group then guess what - they
have full admin rights when logging on with what
appears to be (from domain perspective) a plain
user account.

If by their being able to do anything you mean that you
try to restrict specific things with GPOs in Active
Directory but find that the accounts are not restricted,
then be aware that there are a very few rules that you
must follow in order to have GPO apply correctly.
We have a couple newsgroups specifically for group
policy (the newer is public.windows.group_policy)
You may want to follow-up there, with specifics of how
you are trying and what you expect to see but do not see.
Basically, if you link a GPO to an OU, then Computer
settings in the GPO will apply to computers that are
in the OU and User settings in the GPO will apply to
users that are in the OU. The computer and user objects
must be in the OU - it is not sufficient for a group to be
in the OU. That is the basic pattern if settings that can
modify this behavior have not been changed from their
defaults.

To be any more specific you really would need to
clarify what you are trying to do and what you do
and do not see happening - but a group policy newsgroup
would be the place for that.