Re: I really screwed up group policy this time...!

From: colinrei (colinrei_at_discussions.microsoft.com)
Date: 09/25/05 

Date: Sun, 25 Sep 2005 12:13:03 -0700

good news! using a slight modification on your suggestion worked!

I made a shortcut on the desktop to gpedit.msc, and then I could run it from
my
admin account and revise the policy to be less restrictive.
thanks a lot!! 

-- 
~colin
"Vincent Lape" wrote:
> ok lets try going around another way.
> 
> create a shortcut, from desktop right click, shortcut. make path 
> c:\windows\system32\cmd.exe see if you can get a Command Prompt from there.
> I know on some of my systems even after i removed access to run i could get 
> this to work.
> 
> Vincent Lape
> "colinrei" <colinrei@discussions.microsoft.com> wrote in message 
> news:A87ABA66-6BDA-4445-802D-83F48FEDB73C@microsoft.com...
> > Thanks guys for the suggestions. Here's where I'm at:
> > I did disable simple file sharing but,
> >
> > 1. no access to Run window. it's disabled
> > 2. in Windows explorer I only see My Documents folder, can't access C: 
> > drive
> > 3. in Safe Mode I still can't access command prompt... "disabled by 
> > admin..."
> >
> > I'll try making a startup script for another user as Vincent suggested,
> > but my hopes are dwindling...  any final ideas before fdisk?
> > thanks,
> > -- 
> > ~colin
> >
> >
> > "Vincent Lape" wrote:
> >
> >> try this
> >> start > Run
> >> secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
> >> /verbose
> >>
> >> run it from the admin account. or you can edit the profile of the user
> >> account and have it run a startup script, if you want to try a startup
> >> script do this:
> >>
> >> from admin account create a new text doc, insert the following:
> >> secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
> >> /verbose
> >> secedit /refreshpolicy machine_policy /enforce
> >> secedit /refreshpolicy user_policy /enforce
> >>
> >> save it as reset.bat in the root of C:
> >> in the user profile  control panel > admin tools > computer mgmt > local
> >> users and groups > right clich user - properties> profile tab > logon 
> >> script
> >> enter c:\reset.bat
> >>
> >> logout and login again, if u get an error under the acount saying 
> >> permission
> >> denied just run the reset.bat as admin. This will take the security 
> >> policies
> >> back to default.
> >> HTH
> >>
> >> Vincent Lape
> >> "Nepatsfan" <nepatsfan@SBXXXIX.com> wrote in message
> >> news:m_CdnUhyJuICkKveRVn-oQ@comcast.com...
> >> > colinrei wrote:
> >> >> I was trying to lock down the system for my kids use,
> >> >> and ended up locking it down so tight I cant do anything
> >> >> now...
> >> >> can't shutdown, can't access Run, can't execute any registry
> >> >> modifications, etc.
> >> >> I disabled just about everything I could in gpedit.msc, I
> >> >> didn't think it would
> >> >> also affect the admin account!!
> >> >>
> >> >> How can I turn the policies off, at least for myself (admin)
> >> >> so that I can install software, and use the machine? Or am I
> >> >> doomed to do a full reformat/reinstall?
> >> >>
> >> >> I tried the registry script from kellys-korner "Lift
> >> >> MMC/GPEDIT Snap-In Restrictions".  but since registry
> >> >> modifications are disabled I can't run it...
> >> >> help?
> >> >> --
> >> >> ~colin
> >> >
> >> > Have you opened Windows Explorer, navigated to C:\Windows\System32 and
> >> > tried to run gpedit.msc from there?
> >> >
> >> > How about starting in Safe Mode with Command Prompt and entering
> >> > gpedit.msc in the command prompt window?
> >> >
> >> > Odds are you probably disabled your ability to do the following
> >> > but I'll pass it along anyway:
> >> >
> >> > If you've turned off Simple File Sharing already then you can
> >> > skip these steps:
> >> > Disable Simple File Sharing.
> >> > Go to Start -> Control Panel and double click Folder Options.
> >> > Note: If you disabled access to Control Panel, you can try
> >> > accessing Folder Options through Windows Explorer's Tools menu.
> >> > Hopefully, you didn't block that route.
> >> > In Folder Options, click on the View tab.
> >> > Scroll down to the bottom and remove the check mark from the
> >> > box marked "Use simple file sharing (Recommended)".
> >> >
> >> > With Simple File Sharing disabled you need to change
> >> > permissions on a folder.
> >> > Run Windows Explorer.
> >> > Navigate to this location:
> >> > C:\Windows\System32\GroupPolicy
> >> > Right click on the folder and select Properties from the drop
> >> > down menu.
> >> > Click on the Security tab.
> >> > Click on the Administrators group to highlight it.
> >> > In the Permissions box, change the Read setting, and only the
> >> > Read setting, to Deny.
> >> > Click OK.
> >> > You'll have to log off and log back on with your account for
> >> > the changes to take place.
> >> >
> >> > Once you've logged back on, see if the policies you put in
> >> > place are still being applied to your account. Post back with
> >> > the results.
> >> >
> >> > Note: Once you've applied the Deny Read permission for the 
> >> > Administrators
> >> > group you've got a new issue to deal with. You can't run gpedit.msc. If
> >> > you remove the Deny permissions from the Group Policy folder to restore
> >> > the ability to run the Group Policy editor you may find some of the
> >> > policies put into place immediately putting you right back where you
> >> > started. If that's the case, then you may have no alternative but to
> >> > reinstall Windows.
> >> >
> >> > Good luck
> >> >
> >> > Nepatsfan
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >> 
> 
> 
>

Relevant Pages

  • Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
    ... In order for Alice to Take Ownership of Bob's private folder she would ... Owner and now Bob no longer has the ability to set permissions on it. ... And Windows does have a umask-like function. ... This article contains a set of attack scenarios to demonstrate security ...
    (Full-Disclosure)
  • Re: User rights problem (Least Privilege)
    ... After giving write permission to Users group on Windows folder the ... >> I am managing a small network with Windows 2003 as DC and XP as clients. ... > inexperienced or limited user should ever have write permissions. ... > limited accounts, you can fix it to allow limited users to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Modify advanced permissions using wsh on W2K Server
    ... the checkbox that applies changes made to a folder to ... parameters it requires to accomplish your permissions changes. ... >> Two lines of your gifted experience with windows ... >> In the event you had not unchecked the daylight savings time box ...
    (microsoft.public.scripting.wsh)
  • Re: Password
    ... You don't assign passwords to files in Windows XP, ... In Windows Explorer, go to Tools, Folder Options, View and uncheck ... Here you can assign or deny permissions based on user name or user ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Need to override Windows user password to access files.. Help!
    ... you can set XP Home permissions in Safe Mode. ... Open Explorer, go to Tools and Folder Options, on the view tab, scroll to ... First, go to Windows Explorer, go to Tools, select Folder ...
    (microsoft.public.windowsxp.accessibility)