Re: I really screwed up group policy this time...!

From: colinrei (colinrei_at_discussions.microsoft.com)
Date: 09/25/05 

Date: Sat, 24 Sep 2005 20:49:02 -0700

Thanks guys for the suggestions. Here's where I'm at:
I did disable simple file sharing but,

1. no access to Run window. it's disabled
2. in Windows explorer I only see My Documents folder, can't access C: drive
3. in Safe Mode I still can't access command prompt... "disabled by admin..."

I'll try making a startup script for another user as Vincent suggested,
but my hopes are dwindling... any final ideas before fdisk?
thanks, 

-- 
~colin
"Vincent Lape" wrote:
> try this
> start > Run
> secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb 
> /verbose
> 
> run it from the admin account. or you can edit the profile of the user 
> account and have it run a startup script, if you want to try a startup 
> script do this:
> 
> from admin account create a new text doc, insert the following:
> secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb 
> /verbose
> secedit /refreshpolicy machine_policy /enforce
> secedit /refreshpolicy user_policy /enforce
> 
> save it as reset.bat in the root of C:
> in the user profile  control panel > admin tools > computer mgmt > local 
> users and groups > right clich user - properties> profile tab > logon script
> enter c:\reset.bat
> 
> logout and login again, if u get an error under the acount saying permission 
> denied just run the reset.bat as admin. This will take the security policies 
> back to default.
> HTH
> 
> Vincent Lape
> "Nepatsfan" <nepatsfan@SBXXXIX.com> wrote in message 
> news:m_CdnUhyJuICkKveRVn-oQ@comcast.com...
> > colinrei wrote:
> >> I was trying to lock down the system for my kids use,
> >> and ended up locking it down so tight I cant do anything
> >> now...
> >> can't shutdown, can't access Run, can't execute any registry
> >> modifications, etc.
> >> I disabled just about everything I could in gpedit.msc, I
> >> didn't think it would
> >> also affect the admin account!!
> >>
> >> How can I turn the policies off, at least for myself (admin)
> >> so that I can install software, and use the machine? Or am I
> >> doomed to do a full reformat/reinstall?
> >>
> >> I tried the registry script from kellys-korner "Lift
> >> MMC/GPEDIT Snap-In Restrictions".  but since registry
> >> modifications are disabled I can't run it...
> >> help?
> >> --
> >> ~colin
> >
> > Have you opened Windows Explorer, navigated to C:\Windows\System32 and 
> > tried to run gpedit.msc from there?
> >
> > How about starting in Safe Mode with Command Prompt and entering 
> > gpedit.msc in the command prompt window?
> >
> > Odds are you probably disabled your ability to do the following
> > but I'll pass it along anyway:
> >
> > If you've turned off Simple File Sharing already then you can
> > skip these steps:
> > Disable Simple File Sharing.
> > Go to Start -> Control Panel and double click Folder Options.
> > Note: If you disabled access to Control Panel, you can try
> > accessing Folder Options through Windows Explorer's Tools menu.
> > Hopefully, you didn't block that route.
> > In Folder Options, click on the View tab.
> > Scroll down to the bottom and remove the check mark from the
> > box marked "Use simple file sharing (Recommended)".
> >
> > With Simple File Sharing disabled you need to change
> > permissions on a folder.
> > Run Windows Explorer.
> > Navigate to this location:
> > C:\Windows\System32\GroupPolicy
> > Right click on the folder and select Properties from the drop
> > down menu.
> > Click on the Security tab.
> > Click on the Administrators group to highlight it.
> > In the Permissions box, change the Read setting, and only the
> > Read setting, to Deny.
> > Click OK.
> > You'll have to log off and log back on with your account for
> > the changes to take place.
> >
> > Once you've logged back on, see if the policies you put in
> > place are still being applied to your account. Post back with
> > the results.
> >
> > Note: Once you've applied the Deny Read permission for the Administrators 
> > group you've got a new issue to deal with. You can't run gpedit.msc. If 
> > you remove the Deny permissions from the Group Policy folder to restore 
> > the ability to run the Group Policy editor you may find some of the 
> > policies put into place immediately putting you right back where you 
> > started. If that's the case, then you may have no alternative but to 
> > reinstall Windows.
> >
> > Good luck
> >
> > Nepatsfan
> >
> >
> >
> > 
> 
> 
>

Relevant Pages

  • Re: I really screwed up group policy this time...!
    ... admin account and revise the policy to be less restrictive. ... >>>> accessing Folder Options through Windows Explorer's Tools menu. ... >>>> In the Permissions box, change the Read setting, and only the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Two questions after reinstalling WIN XP home..
    ... folder properties. ... If you have XP Pro, you need to open Windows Explorer, ... remove the check from "Use simple file sharing" and click apply ...
    (microsoft.public.windowsxp.accessibility)
  • Re: Protecting a Shared Folder
    ... Windows XP doesn't have passwords for shared folders. ... Windows XP Professional File Sharing ... Windows XP Home Edition wasn't designed to control access to shared ... Create a compressed folder and define a password for it. ...
    (microsoft.public.windowsxp.network_web)
  • Re: password for accessing network folders
    ... > and uncheck Use simple file sharing. ... > Windows XP Pro SP2 ... >>I now have the password box come up to access network shares every time I ... >> and it lets me in, after I close the folder, it keeps letting me in ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cant set file/folder security XP (Security Tab not available)
    ... you need to turn off Simple File Sharing. ... In Windows Explorer go to Tools, Folder Options, View. ... the Security tab is only visible when you log in to an Administrator level account in Safe Mode. ...
    (microsoft.public.windowsxp.security_admin)