• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Group Policy Disaster!!

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Chez

Chez

Member
Joined
Oct 10, 2002
Location
Dallas, TX
I was 'playing' with the group policies of my server2003 domain earlier, thinking that my user account (which I use for all administrative duties) was in an OU with no policies applied.

However, upon logging out and back in, I discovered that I am completely locked down and cannot do anything or make any changes to anything.

I have locked down all MMC snap-ins, meaning I can't change the group policy.

Is there any way out of this (short of rebuilding my DC).

My domain consists of one DC and 2 workstations. The Administrator account on all PCs has been disabled and the only account which isn't affected is my local account on one fo the workstations...

Oops!
 
Well if you can find a program that will allow you to reset the admin password thru DOS then you have a workaround.

I do not know the name of the one we use at my university but it does the trick everytime.
 
Microsoft has a tool that will reset all GPO's back to the dafault. Prolly' cost you 250$ for the call though!
You may need admin access to do this though.
This could also probably be fixed by booting into AD Restore mode, and using adsi edit to edit the AD database and remove all instanses of the GPO. Might cause other problems.... YMMV!
Interesting problem though.

Next time make sure that the GPO does NOT apply to "all authinticated users" just the groups that need the GPO applied (if you are editing the Default domain policy).
You could always make a new OU, create a new GPO for that OU and place all needed users in the new OU...

Another thing that you can try is to boot into AD restore mode, edit the registry to make the logon screen saver set to "cmd.exe" and the time out set to 1 second. Then reboot into normal mode. When the server comes up, do not logon, wait for the command prompt to open. It will open with admin rights. then type "dsa.msc" to open AD users and computers. Then remove the GPO that is causing problems...


Good luck!~
 
Thanks for the advice guys. I got it sorted in the ned, here's what I did -

I renamed rename the Policies directories from a workstation (logged on with a local account)

Then, created a batch file which ran dcgpofix and gpudate (couldn't access a run command on the dc to do this)

I put that batch file into the start menu of my Domain account on the DC (couldn't use any other hard-disk location because they were locked down).

I ran the batch file on the DC and it seems to have worked...
 
You must log in or register to reply here.

Similar threads

The_Jizzler
WSUS and RRAS woes!
Replies
1
Views
508
Janus67
Janus67
ssjwizard
New server! Media, Gaming, and more!!
Replies
0
Views
882
ssjwizard
ssjwizard
JrClocker
SONOS Speakers - OMG...WOW!!!!!
Replies
4
Views
4K
Mandrake4565
Mandrake4565
I.M.O.G.
Powershell remote event log collection examples
Replies
0
Views
3K
I.M.O.G.
I.M.O.G.
g0dM@n
"Cannot eventlog service on computer '.'."
Replies
3
Views
868
g0dM@n
g0dM@n
Back