Re: Save me from my stupidity
From: stefanT (stefanT_at_discussions.microsoft.com)
Date: 12/28/04
- Next message: Susan: "Re: O1 - Hosts: 64.91.255.87 www.dcsresearch.com"
- Previous message: siljaline: "Re: full system scan using ad-ware free SE 1.05"
- In reply to: Roger Abell: "Re: Save me from my stupidity"
- Next in thread: stefanT: "Re: Save me from my stupidity"
- Reply: stefanT: "Re: Save me from my stupidity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Dec 2004 03:57:02 -0800
Well and truly - grabbed by the short and curlys.
Before I start on the recovery I'd like to make sure I'm clear about what
I'm doing. As I understand it from the Local-Sec-Stngs/Loc-Pol -- GP/concepts
help, local policy is stored in a file (in ..\system32\GroupPolicy?) and
pulled into the registry at bootup. It sounds as though the fix is to hide
this from the registry when booting, correct the error and then pull it in by
refreshing the registry.
In order to do this I think you are advising to set the NTFS permissions on
.../Sys32/GP
to deny access for the admins group. If this is the case then I'm not sure
that I can do it - won't I need to be in Windows - or can I do this somehow
from the Recovery Console?
StefanT
"Roger Abell" wrote:
> Hmmm, got bitten a little by that one ? At least we can get
> you out of it, and it is likely one of the worst, for a machine
> that is not a domain controller, that one can accident upon
> while tightening a machine. Just remember that deny always
> overrules a grant, and the Users, Authenticated Users, Everyone,
> Network, and Interactive have wide impacts.
>
> OK, so you need, as an admin, to locate your folder permissions
> at system32\GroupPolicy and there set a Deny of full for the
> Administrators group. Then, log off and back on, remove the
> Deny you just set, and then immediately edit the local security
> policies to remove the problem setting.
> At a cmd prompt force refresh of policy (at prompt enter secedit
> and go to the How to . . . refresh ), then log off and back in to see
> if you are now set to go.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "stefanT" <stefanT@discussions.microsoft.com> wrote in message
> news:C3BF937E-61C3-4DE7-9930-F7E6449BF071@microsoft.com...
> > After being given "Hardening Windows Systems" for Christmas I decided to
> play
> > about with the local policy settings on my networked W2k Pro machine. I
> set
> > up a test group to check out the impact of denying local login, but, idiot
> > that I am, I accidentally chose the normal user group and now I can't get
> > back in !-(
> > I don't seem to be able to access the shared C drive from the network, but
> I
> > can login in as Admin from the recovery console. I tried doing a repair
> > install but, as I suspected, this didn't reset the policy.
> > Can anyone suggest a way of re-enabling local login? I can work from the
> > recovery console or I can boot into Linux and access the full C drive if
> > necessary.
> >
> > StefanT
>
>
>
- Next message: Susan: "Re: O1 - Hosts: 64.91.255.87 www.dcsresearch.com"
- Previous message: siljaline: "Re: full system scan using ad-ware free SE 1.05"
- In reply to: Roger Abell: "Re: Save me from my stupidity"
- Next in thread: stefanT: "Re: Save me from my stupidity"
- Reply: stefanT: "Re: Save me from my stupidity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
