Re: MMC - admin locked out too

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 12/29/02

• Next message: Roger Abell [MVP]: "Re: New HD / old HD admin docs & settings"
• Previous message: KC Kracaw: "Cant log in as Admin forgot password or login name"
• In reply to: ericB: "Re: MMC - admin locked out too"
• Next in thread: Sam: "Re: MMC - admin locked out too"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Sun, 29 Dec 2002 00:31:34 -0700

The method that Doug mentioned is outlined here
http://support.microsoft.com/?scid=293655
Personally I find it rather messy, and would not
recommend trying it until one is pretty certain what
one wants as the settings. You would not want to
be doing this more than absolutely necessary.

If what you want is to enforce restrictions on all
accounts except some that you are happy having
no restrictions, just use the Deny trick to exempt
those accounts from policy application. You just
need to remember that the Deny must be removed
from an admin account before it can edit policy,
and you certainly want to remember to put the Deny
back in place after the edit. I would suggest that
you use Deny for two admin accounts by account
name rather than by the Administrators group in
order to reduce the chance of accidentally getting
locked out again.

--
Roger Abell
MS MVP (Security, Windows), MCDBA,  MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
"ericB" <Cyber-Fiend@pacbell.net> wrote in message
news:028e01c2aee1$d82986f0$d3f82ecf@TK2MSFTNGXA10...
> Roger,
> You're a prince.
>
> Now.. u wouldn't happen to know any reference material on
> how I can accomplish what I was TRYING to accomplish:
>
> Limit access to Regedit, MMC, command line, etc. &
> restrict such items to Administrators only.
>
> again, thanks.  I'm in the second week of my process of
> reconstructing my hard drive because a "computer
> knowledgable friend" messed up a few things & I dreaded
> starting that process over again :D
>
>
> ====[ A Fellow Voyager on this JourneyQuest Called ---
> LIFE ]===
> ericB aka Cyber-Fiend
>
>
>
>
> >-----Original Message-----
> >As an alternative to your predicament, locate the
> >GroupPolicies folder in Windows\System32 and
> >set a Deny of Full Control for the Administrators
> >Then, log off and back in as an admin, remove
> >the Deny, and edit local policy to remove what
> >you do not want applied to _all_ users, including
> >Administrators.
> >
> >If you are not interoperating with Windows 2000
> >systems you probably do not want to weaken the
> >XP system by enabling any of the old W2k behaviors.
> >
> >--
> >Roger
> >
> >"ericB" <Cyber-Fiend@pacbell.net> wrote in message
> >news:018d01c2aed4$88bbbd20$d6f82ecf@TK2MSFTNGXA13...
> >> I'm on my PC, a standalone PC, running WinXP, with one
> >> Administrator acct, two accts with admin privileges,
> one
> >> acct with user privileges & the guest acct.  I was in
> >> MMC.  I created a new console for security & was in
> >> group/local policies, setting restrictions on what
> could
> >> be done on the computer by users.  EVERYTHING I set
> said
> >> it was supposed to affect what users could or could not
> >> do.  Such as restricting running MMC, no "Run" or
> command
> >> line, etc.  I only wanted admins to have those
> >> privileges.  When I closed MMC, now, even I can't get
> to
> >> cmd line, Run cmd, or open MMC.  It keeps saying talk
> to
> >> your system administrator.   I AM the system
> >> administrator.  What happened?
> >>
> >> Did I mess up by setting those things that said
> something
> >> about "they work in Win 2000" ?  Was I only supposed to
> >> set the one's that said WinXP?  Please help.
> >>
> >> 1.  How do I get the Run cmd to work now?
> >> 2. After doing so, how do i get MMC to recognize my
> admin
> >> password?
> >>
> >> thanks
> >> ericB
> >
> >
> >.
> >

---

• Next message: Roger Abell [MVP]: "Re: New HD / old HD admin docs & settings"
• Previous message: KC Kracaw: "Cant log in as Admin forgot password or login name"
• In reply to: ericB: "Re: MMC - admin locked out too"
• Next in thread: Sam: "Re: MMC - admin locked out too"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: MMC - admin locked out too ... Limit access to Regedit, MMC, command line, etc. & ... >set a Deny of Full Control for the Administrators ... >> Administrator acct, two accts with admin privileges, ... >> acct with user privileges & the guest acct. ... (microsoft.public.windowsxp.security_admin) Re: Windows 2000 - Local policy - deny logon loccaly ... Map the Admin$ or C$ share as an admin, then set a Deny ... of Full for Administrators on system32\GroupPolicy in the ... > Local policy settings -- deny logon locally. ... (microsoft.public.windowsxp.security_admin) Re: Moving DCs From Default OU ? ... if I'm an admin (domain admins, administrators, enterprise admin, ... etc) you can deny whatever you want to. ... although I don't have permissions I can change them back so I do ... (microsoft.public.windows.server.active_directory) Re: help- problem with MMC and devmgmt ... You use the Deny column in the main security ... > dialog to check Full Control after Administrators has been ... >> system no longer allows me to access any mmc admin tools directly from ... (microsoft.public.windowsxp.security_admin) Re: MMC - admin locked out too ... I would appreciate a clarification about using the "Deny of Full ... Control for the Administrators." ... Full Control for the Administrators, I right clicked on the windows/system32 ... When I closed MMC, now, even I can't get to ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)