Re: Win2k Server locked Down - real security policy - How do I unlock things?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/14/04


Date: Sat, 14 Aug 2004 16:09:25 GMT

Hey Jim.

I don't know if I can help you with everything, but here are a few thoughts.

There are free tools you can use to reset local administrator passwords with as shown
below.

http://www.petri.co.il/forgot_administrator_password.htm

It can be difficult to track down lockdowns if the previous admin did not leave
documentation. If he modified the registry instead of using group policy, that can be
very difficult and in the end a reinstall may be the way to go and ultimately save
time. There are some decent books on modifying the registry that you may want to
purchase to keep on hand such as the Admin911 book. There is a way to use secedit to
reset security settings to default for the Local Security Policy as shown in the
second link below. You can also use the Security Configuration and Analysis mmc
snapin tool to analyze computer security setting configuration and often running it
against the setup security.inf template can be helpful. A in place upgrade install
may be worth a try on a computer. Read the description of what it does and realize
you need to reapply first service pack and then all critical updates to the computer
after doing it. It should however preserve data and applications.

http://www.bookpool.com/.x/t2nebxz1ni/sm/0072129468
http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 -- using secedit.
http://www.lokbox.net/SecureXP/secAnalysis.asp -- Security Configuration and
Analysis tool.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306952 -- in place upgrade
install.

Scripts can be run in a number of places including logon scripts in the user account
properties. Group Policy scripts can be startup, logon, logoff, shutdown. They can be
found by viewing the appropriate Group Policy which may be local. Event Viewer may
also record the success or failure of a script being applied. See below for more info
on Group Policy scripts.

http://support.microsoft.com/default.aspx?scid=kb;en-us;198642
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241

I can not think offhand of a place in Group Policy where those restrictions are being
applied. If you look under user configuration/administrative templates/desktop you
will see options for desktop restrictions. Note that restrictions differ depending on
if you are using regular or active desktop. Sometimes you can try to enable or
disable a Group Policy setting to override and existing setting that may have been
made in the registry manually. The gpresult tool can be very helpful in seeing what
Group Policy settings are applied to a computer and logged on users. It will show the
policies being applied and the last time applied. If you use the /v switch you can
see very detailed info on Group Policy settings. If you have a Windows XP Pro
computer on the domain, you can use it and the Group Policy Management Console to
manage Group Policy for a W2K domain which is a huge improvement in managing and
configuring Group Policy. If you are using Group Policy at the domain level/OU, it
would be a good idea to temporarily enable the "refresh security policy" and "
refresh registry policy" settings under computer configuration/administrative
templates/system/Group Policy to force refresh of Group Policy settings even if they
have not been changed.

http://support.microsoft.com/default.aspx?scid=kb;en-us;321709 -- gpresult.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx -- GPMC
http://www.tburke.net/info/regentry/topics/GPRef.htm -- Group Policy Registry
reference

Check the contents of any autoexec.bat files on your computers. Normally they do not
work but there is a way to make them work which I forget off hand but I believe it
requires a non default service to run. You want to check Scheduled Tasks to see if
anything is set to run there that you do not know about and user the free Autoruns
tool from SysInternals which will show the startup programs on a computer which may
come from MANY places. Another thing to look into is the possibility that the old
style System Policies have been applied to a computer. You can use poledit.exe to
open and view System Policies

http://support.microsoft.com/?kbid=269799
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318753
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml -- Autoruns

Hopefully this will give you a start. --- Steve

"James W. Long" <JamesLong@wowway.com> wrote in message
news:AvOdnfXy-YSRhYPcRVn-sQ@wideopenwest.com...
> Dear ALL:
>
> I am locked down and I dont NEED it.
> I need it fixed now.
>
> Win2k DC/DNS/Terminal Server/other
> SERVER at Server Console.
>
> WIN2k PRO client,
> the old Admins original workstation,
> (now mine)
>
> Both exhibit similar lockdown behavior so
> I know our old admin did this
> .
> He also did not leave us some
> important passworsds etc...
> so guess the behavior for yourself.
>
> I am the new company Administrator,
> and this is making my new experience difficult
> and somewhat embarrasing.
>
> The problem:
> the problem, I belive, is with certain handwritten security policies
> which are implemented on the DC's and my workstation
> (which used to the old admins) which the old admin
> wrote and I dont know how to fix.
>
> 1 Not a single icon on the desktop is movable,
> and no, its NOT in autoarrage mode.
> If I pick up an icon it will not be put down
> elsewhere. It just IGNORES me!
> they go right back where the came from.
> this is clearly a POLICY.
> keep reading.
>
> 2. I cant save a webpage/website - its not allowed,
> it becomes deleted immediately
> and yes, there are full write rights
> to the destination folder. This is clearly a POLICY.
> keep reading.
>
> 3. there are other security quirks I dont understand.
> which are also clearly policy.
>
> The old admin WROTE SCRIPTS
> and put them in a folder someplace.
> like USER and MACHINE Security folders.
>
> A. Where
> B What Am I looking for?
> C. How do I undo this BS crap?
>
> maybe I should ask how to
> accomplish these things on specific machines
> then I would better know
> how to undo it? is that of any help?
>
> I dont see it in secpol or gpedit
> I assume he added these things in manully,
> copied stuff to the security folders
> then did a secpol /refresh all_users
> and a secpol /reresh local_machine
> or similar.
>
>
> Any help would be greatly appreciated,
>
> you can email me at JamesLong@DunhamsHQ.com
>
>



Relevant Pages

  • Re: Bit of advice on current AD structure.
    ... If you can do everything you need to do from a GPO and security standpoint there is no reason to move to something more complex. ... So you need to figure out what your security and group policy strategy is, then make your design. ... I am really disliking native delegation of security for user objects more and more as new apps come out and having rights to the users gives you rights to harm the apps, things like Exchange come to mind here where an admin who can directly manipulate user objects can cause nightmares for folks managing the Exchange Service. ...
    (microsoft.public.windows.server.active_directory)
  • Re: restrictions in effect
    ... I wonder if some security software installed on that client PC is causing your inability to change the home page. ... You could control the home page with a group policy, but it seems like that would be applying elsewhere besides this one PC. ... Then for the printing thing, I think I'd start by going to the IE Internet Options, Advanced tab, and click "Restore advanced settings." ...
    (microsoft.public.windows.server.sbs)
  • Re: lets vote for better security
    ... Liberals and security professionals who occassionally wear a black hat. ... Then MSFT started disabling things by default and a lot of the community ... Since when is an app responsible for the ... :>: default installation and be disable-able by Group Policy. ...
    (microsoft.public.security)
  • Re: Windows Update Error on XP 64bit: update is redirected from v6
    ... Proxycfg settings WORKED. ... Microsoft Windows 2000 Operating System Group Policy Result tool ... The user is a member of the following security groups: ...
    (microsoft.public.windowsupdate)
  • Re: lockdown desktop without Group Policy
    ... security groups were removed from the list. ... I can now no longer edit group policy. ... Logon as an administrator ... Create a new local group named "GP Editors" ...
    (microsoft.public.windows.terminal_services)