I really screwed up group policy this time...!

[Guest]

I was trying to lock down the system for my kids use,
and ended up locking it down so tight I cant do anything now...
can't shutdown, can't access Run, can't execute any registry modifications,
etc.
I disabled just about everything I could in gpedit.msc, I didn't think it
would
also affect the admin account!!

How can I turn the policies off, at least for myself (admin) so that I can
install software, and use the machine? Or am I doomed to do a full
reformat/reinstall?

I tried the registry script from kellys-korner "Lift MMC/GPEDIT Snap-In
Restrictions". but since registry modifications are disabled I can't run
it...
help?

 

[Nepatsfan]

I was trying to lock down the system for my kids use,
and ended up locking it down so tight I cant do anything
now...
can't shutdown, can't access Run, can't execute any registry
modifications, etc.
I disabled just about everything I could in gpedit.msc, I
didn't think it would
also affect the admin account!!

How can I turn the policies off, at least for myself (admin)
so that I can install software, and use the machine? Or am I
doomed to do a full reformat/reinstall?

I tried the registry script from kellys-korner "Lift
MMC/GPEDIT Snap-In Restrictions". but since registry
modifications are disabled I can't run it...
help?

Have you opened Windows Explorer, navigated to
C:\Windows\System32 and tried to run gpedit.msc from there?

How about starting in Safe Mode with Command Prompt and
entering gpedit.msc in the command prompt window?

Odds are you probably disabled your ability to do the following
but I'll pass it along anyway:

If you've turned off Simple File Sharing already then you can
skip these steps:
Disable Simple File Sharing.
Go to Start -> Control Panel and double click Folder Options.
Note: If you disabled access to Control Panel, you can try
accessing Folder Options through Windows Explorer's Tools menu.
Hopefully, you didn't block that route.
In Folder Options, click on the View tab.
Scroll down to the bottom and remove the check mark from the
box marked "Use simple file sharing (Recommended)".

With Simple File Sharing disabled you need to change
permissions on a folder.
Run Windows Explorer.
Navigate to this location:
C:\Windows\System32\GroupPolicy
Right click on the folder and select Properties from the drop
down menu.
Click on the Security tab.
Click on the Administrators group to highlight it.
In the Permissions box, change the Read setting, and only the
Read setting, to Deny.
Click OK.
You'll have to log off and log back on with your account for
the changes to take place.

Once you've logged back on, see if the policies you put in
place are still being applied to your account. Post back with
the results.

Note: Once you've applied the Deny Read permission for the
Administrators group you've got a new issue to deal with. You
can't run gpedit.msc. If you remove the Deny permissions from
the Group Policy folder to restore the ability to run the Group
Policy editor you may find some of the policies put into place
immediately putting you right back where you started. If that's
the case, then you may have no alternative but to reinstall
Windows.

Good luck

Nepatsfan

 

[Vincent Lape]

try this
start > Run
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose

run it from the admin account. or you can edit the profile of the user
account and have it run a startup script, if you want to try a startup
script do this:

from admin account create a new text doc, insert the following:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
/verbose
secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce

save it as reset.bat in the root of C:
in the user profile control panel > admin tools > computer mgmt > local
users and groups > right clich user - properties> profile tab > logon script
enter c:\reset.bat

logout and login again, if u get an error under the acount saying permission
denied just run the reset.bat as admin. This will take the security policies
back to default.
HTH

Vincent Lape

 

[Guest]

Thanks guys for the suggestions. Here's where I'm at:
I did disable simple file sharing but,

1. no access to Run window. it's disabled
2. in Windows explorer I only see My Documents folder, can't access C: drive
3. in Safe Mode I still can't access command prompt... "disabled by admin..."

I'll try making a startup script for another user as Vincent suggested,
but my hopes are dwindling... any final ideas before fdisk?
thanks,

 

[Vincent Lape]

ok lets try going around another way.

create a shortcut, from desktop right click, shortcut. make path
c:\windows\system32\cmd.exe see if you can get a Command Prompt from there.
I know on some of my systems even after i removed access to run i could get
this to work.

Vincent Lape

 

[Guest]

good news! using a slight modification on your suggestion worked!

I made a shortcut on the desktop to gpedit.msc, and then I could run it from
my
admin account and revise the policy to be less restrictive.
thanks a lot!!

 

[Vincent Lape]

congrats!!

good news! using a slight modification on your suggestion worked!

I made a shortcut on the desktop to gpedit.msc, and then I could run it
from
my
admin account and revise the policy to be less restrictive.
thanks a lot!!

 

[Nepatsfan]

Glad to see things worked out.

FYI, here's a utility you might want to consider using instead
of the Local Security Policy.

Windows XP Security Console
http://www.dougknox.com/xp/utils/xp_securityconsole.htm

Nepatsfan