Re: Win2k Server locked Down - real security policy - How do I unlock things?
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: Sat, 14 Aug 2004 16:09:25 GMT
I don't know if I can help you with everything, but here are a few thoughts.
There are free tools you can use to reset local administrator passwords with as shown
It can be difficult to track down lockdowns if the previous admin did not leave
documentation. If he modified the registry instead of using group policy, that can be
very difficult and in the end a reinstall may be the way to go and ultimately save
time. There are some decent books on modifying the registry that you may want to
purchase to keep on hand such as the Admin911 book. There is a way to use secedit to
reset security settings to default for the Local Security Policy as shown in the
second link below. You can also use the Security Configuration and Analysis mmc
snapin tool to analyze computer security setting configuration and often running it
against the setup security.inf template can be helpful. A in place upgrade install
may be worth a try on a computer. Read the description of what it does and realize
you need to reapply first service pack and then all critical updates to the computer
after doing it. It should however preserve data and applications.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 -- using secedit.
http://www.lokbox.net/SecureXP/secAnalysis.asp -- Security Configuration and
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306952 -- in place upgrade
Scripts can be run in a number of places including logon scripts in the user account
properties. Group Policy scripts can be startup, logon, logoff, shutdown. They can be
found by viewing the appropriate Group Policy which may be local. Event Viewer may
also record the success or failure of a script being applied. See below for more info
on Group Policy scripts.
I can not think offhand of a place in Group Policy where those restrictions are being
applied. If you look under user configuration/administrative templates/desktop you
will see options for desktop restrictions. Note that restrictions differ depending on
if you are using regular or active desktop. Sometimes you can try to enable or
disable a Group Policy setting to override and existing setting that may have been
made in the registry manually. The gpresult tool can be very helpful in seeing what
Group Policy settings are applied to a computer and logged on users. It will show the
policies being applied and the last time applied. If you use the /v switch you can
see very detailed info on Group Policy settings. If you have a Windows XP Pro
computer on the domain, you can use it and the Group Policy Management Console to
manage Group Policy for a W2K domain which is a huge improvement in managing and
configuring Group Policy. If you are using Group Policy at the domain level/OU, it
would be a good idea to temporarily enable the "refresh security policy" and "
refresh registry policy" settings under computer configuration/administrative
templates/system/Group Policy to force refresh of Group Policy settings even if they
have not been changed.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321709 -- gpresult.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx -- GPMC
http://www.tburke.net/info/regentry/topics/GPRef.htm -- Group Policy Registry
Check the contents of any autoexec.bat files on your computers. Normally they do not
work but there is a way to make them work which I forget off hand but I believe it
requires a non default service to run. You want to check Scheduled Tasks to see if
anything is set to run there that you do not know about and user the free Autoruns
tool from SysInternals which will show the startup programs on a computer which may
come from MANY places. Another thing to look into is the possibility that the old
style System Policies have been applied to a computer. You can use poledit.exe to
open and view System Policies
Hopefully this will give you a start. --- Steve
"James W. Long" <JamesLong@wowway.com> wrote in message
> Dear ALL:
> I am locked down and I dont NEED it.
> I need it fixed now.
> Win2k DC/DNS/Terminal Server/other
> SERVER at Server Console.
> WIN2k PRO client,
> the old Admins original workstation,
> (now mine)
> Both exhibit similar lockdown behavior so
> I know our old admin did this
> He also did not leave us some
> important passworsds etc...
> so guess the behavior for yourself.
> I am the new company Administrator,
> and this is making my new experience difficult
> and somewhat embarrasing.
> The problem:
> the problem, I belive, is with certain handwritten security policies
> which are implemented on the DC's and my workstation
> (which used to the old admins) which the old admin
> wrote and I dont know how to fix.
> 1 Not a single icon on the desktop is movable,
> and no, its NOT in autoarrage mode.
> If I pick up an icon it will not be put down
> elsewhere. It just IGNORES me!
> they go right back where the came from.
> this is clearly a POLICY.
> keep reading.
> 2. I cant save a webpage/website - its not allowed,
> it becomes deleted immediately
> and yes, there are full write rights
> to the destination folder. This is clearly a POLICY.
> keep reading.
> 3. there are other security quirks I dont understand.
> which are also clearly policy.
> The old admin WROTE SCRIPTS
> and put them in a folder someplace.
> like USER and MACHINE Security folders.
> A. Where
> B What Am I looking for?
> C. How do I undo this BS crap?
> maybe I should ask how to
> accomplish these things on specific machines
> then I would better know
> how to undo it? is that of any help?
> I dont see it in secpol or gpedit
> I assume he added these things in manully,
> copied stuff to the security folders
> then did a secpol /refresh all_users
> and a secpol /reresh local_machine
> or similar.
> Any help would be greatly appreciated,
> you can email me at JamesLong@DunhamsHQ.com