Group Policy Disaster!!

[chez]

I was 'playing' with the group policies of my server2003 domain earlier, thinking that my user account (which I use for all administrative duties) was in an OU with no policies applied.

However, upon logging out and back in, I discovered that I am completely locked down and cannot do anything or make any changes to anything.

I have locked down all MMC snap-ins, meaning I can't change the group policy.

Is there any way out of this (short of rebuilding my DC).

My domain consists of one DC and 2 workstations. The Administrator account on all PCs has been disabled and the only account which isn't affected is my local account on one fo the workstations...

Oops!

[Moby-Dick]

could be a job for ERD commander to create another account ?

[chez]

I've locked down application installs and all drives as well!!

[Moby-Dick]

what about on boot ?

ERD is a boot CD.

[chez]

yeah, just checked it out, bloody expensive though!! (for something that I will probably only use the once, having learnt my lesson!)

[Moby-Dick]

ah I thought there might be an evaluation edition.

Did you install the recovery console ?

[Jiff Lemon]

You tried booting the Dc into safe mode?

[Jiff Lemon]

Or possibly boot a workstation into safe mode as Software restriction policies don't apply when Windows is started in Safe Mode Safe Mode

Log on as a local administrator, modify the policy, run gpupdate, restart the computer, and then log on normally.

Have you got the 2003 Group policy editor installed on a machine?

[chez]

Or possibly boot a workstation into safe mode as Software restriction policies don't apply when Windows is started in Safe Mode Safe Mode

Log on as a local administrator, modify the policy, run gpupdate, restart the computer, and then log on normally.

Have you got the 2003 Group policy editor installed on a machine?

Right, Booting the DC in safe mode doesn't work - policies still applied!

I'm currently logged onto the workstation with my local account and can access the hard disks of the DC...

I don't have Server 2003 Group Policy Editor on this workstation.

[Jiff Lemon]

Did you modify the default domain policy or apply the policy to the Computers OU?

[chez]

Modified the default

[Jiff Lemon]

You got the admin tools installed on the machine? I'm presuming when if you try and connect to the Active Directory users and computer MMC, the policy gets applied and you get stuffed?

[chez]

No, I can;t connect to the AD because I am logged on with a local workstation account, not a domain account..

I can see the SYSVOL from here tohugh, if that's any help?

[Jiff Lemon]

Well, you could try renaming (NOT deleting!) the Policies folder. However I suspect the exisiting policies will remain in place, as there's nothing to overide them.

Clutching at straws, you could try manually editing the policies (make a copy, edit the copy with notepad, rename the original).

A blank *default* GPO has a machine folder (empty), User folder (empty) and a gpt.ini file with the following entry.

[General]
Version=0
displayName=New Group Policy Object

Now if you could work out which GPO was the default (hopefully by looking at the modified date), you may be able to replace it..... But we're clutching at straws!

[chez]

Ok, got it sorted...

What I did was to rename the Policies directories from the workstation.

Then, created a batch file which ran dcgpofix and gpudate (couldn't access a run command on the dc to do this)

I put that batch file into the start menu of my Domain account on the DC (couldn't use any other hard-disk location because they were locked down).

I ran the batch file on the DC and it seems to have worked...

Thanks for the advice guys

[Jiff Lemon]

Whew!

Now remember the golden rule....

"Thou shalt not modify the default domain policy"

if you've not already got it, get the group policy editor from MS

Linky

Make playing with Group policy a lot more fun.