Re: I really screwed up group policy this time...!
From: Vincent Lape (vlape_at_news.postalias)
Date: 09/25/05
- Next message: Nepatsfan: "Re: I really screwed up group policy this time...!"
- Previous message: R. P.: "Re: I really screwed up this time!"
- In reply to: colinrei: "Re: I really screwed up group policy this time...!"
- Next in thread: Nepatsfan: "Re: I really screwed up group policy this time...!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Sep 2005 15:20:13 -0400
congrats!!
"colinrei" <colinrei@discussions.microsoft.com> wrote in message
news:17025102-F8AF-4A82-AFDC-50E68BC1E8AE@microsoft.com...
> good news! using a slight modification on your suggestion worked!
>
> I made a shortcut on the desktop to gpedit.msc, and then I could run it
> from
> my
> admin account and revise the policy to be less restrictive.
> thanks a lot!!
> --
> ~colin
>
>
> "Vincent Lape" wrote:
>
>> ok lets try going around another way.
>>
>> create a shortcut, from desktop right click, shortcut. make path
>> c:\windows\system32\cmd.exe see if you can get a Command Prompt from
>> there.
>> I know on some of my systems even after i removed access to run i could
>> get
>> this to work.
>>
>> Vincent Lape
>> "colinrei" <colinrei@discussions.microsoft.com> wrote in message
>> news:A87ABA66-6BDA-4445-802D-83F48FEDB73C@microsoft.com...
>> > Thanks guys for the suggestions. Here's where I'm at:
>> > I did disable simple file sharing but,
>> >
>> > 1. no access to Run window. it's disabled
>> > 2. in Windows explorer I only see My Documents folder, can't access C:
>> > drive
>> > 3. in Safe Mode I still can't access command prompt... "disabled by
>> > admin..."
>> >
>> > I'll try making a startup script for another user as Vincent suggested,
>> > but my hopes are dwindling... any final ideas before fdisk?
>> > thanks,
>> > --
>> > ~colin
>> >
>> >
>> > "Vincent Lape" wrote:
>> >
>> >> try this
>> >> start > Run
>> >> secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
>> >> /verbose
>> >>
>> >> run it from the admin account. or you can edit the profile of the user
>> >> account and have it run a startup script, if you want to try a startup
>> >> script do this:
>> >>
>> >> from admin account create a new text doc, insert the following:
>> >> secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb
>> >> /verbose
>> >> secedit /refreshpolicy machine_policy /enforce
>> >> secedit /refreshpolicy user_policy /enforce
>> >>
>> >> save it as reset.bat in the root of C:
>> >> in the user profile control panel > admin tools > computer mgmt >
>> >> local
>> >> users and groups > right clich user - properties> profile tab > logon
>> >> script
>> >> enter c:\reset.bat
>> >>
>> >> logout and login again, if u get an error under the acount saying
>> >> permission
>> >> denied just run the reset.bat as admin. This will take the security
>> >> policies
>> >> back to default.
>> >> HTH
>> >>
>> >> Vincent Lape
>> >> "Nepatsfan" <nepatsfan@SBXXXIX.com> wrote in message
>> >> news:m_CdnUhyJuICkKveRVn-oQ@comcast.com...
>> >> > colinrei wrote:
>> >> >> I was trying to lock down the system for my kids use,
>> >> >> and ended up locking it down so tight I cant do anything
>> >> >> now...
>> >> >> can't shutdown, can't access Run, can't execute any registry
>> >> >> modifications, etc.
>> >> >> I disabled just about everything I could in gpedit.msc, I
>> >> >> didn't think it would
>> >> >> also affect the admin account!!
>> >> >>
>> >> >> How can I turn the policies off, at least for myself (admin)
>> >> >> so that I can install software, and use the machine? Or am I
>> >> >> doomed to do a full reformat/reinstall?
>> >> >>
>> >> >> I tried the registry script from kellys-korner "Lift
>> >> >> MMC/GPEDIT Snap-In Restrictions". but since registry
>> >> >> modifications are disabled I can't run it...
>> >> >> help?
>> >> >> --
>> >> >> ~colin
>> >> >
>> >> > Have you opened Windows Explorer, navigated to C:\Windows\System32
>> >> > and
>> >> > tried to run gpedit.msc from there?
>> >> >
>> >> > How about starting in Safe Mode with Command Prompt and entering
>> >> > gpedit.msc in the command prompt window?
>> >> >
>> >> > Odds are you probably disabled your ability to do the following
>> >> > but I'll pass it along anyway:
>> >> >
>> >> > If you've turned off Simple File Sharing already then you can
>> >> > skip these steps:
>> >> > Disable Simple File Sharing.
>> >> > Go to Start -> Control Panel and double click Folder Options.
>> >> > Note: If you disabled access to Control Panel, you can try
>> >> > accessing Folder Options through Windows Explorer's Tools menu.
>> >> > Hopefully, you didn't block that route.
>> >> > In Folder Options, click on the View tab.
>> >> > Scroll down to the bottom and remove the check mark from the
>> >> > box marked "Use simple file sharing (Recommended)".
>> >> >
>> >> > With Simple File Sharing disabled you need to change
>> >> > permissions on a folder.
>> >> > Run Windows Explorer.
>> >> > Navigate to this location:
>> >> > C:\Windows\System32\GroupPolicy
>> >> > Right click on the folder and select Properties from the drop
>> >> > down menu.
>> >> > Click on the Security tab.
>> >> > Click on the Administrators group to highlight it.
>> >> > In the Permissions box, change the Read setting, and only the
>> >> > Read setting, to Deny.
>> >> > Click OK.
>> >> > You'll have to log off and log back on with your account for
>> >> > the changes to take place.
>> >> >
>> >> > Once you've logged back on, see if the policies you put in
>> >> > place are still being applied to your account. Post back with
>> >> > the results.
>> >> >
>> >> > Note: Once you've applied the Deny Read permission for the
>> >> > Administrators
>> >> > group you've got a new issue to deal with. You can't run gpedit.msc.
>> >> > If
>> >> > you remove the Deny permissions from the Group Policy folder to
>> >> > restore
>> >> > the ability to run the Group Policy editor you may find some of the
>> >> > policies put into place immediately putting you right back where you
>> >> > started. If that's the case, then you may have no alternative but to
>> >> > reinstall Windows.
>> >> >
>> >> > Good luck
>> >> >
>> >> > Nepatsfan
>> >> >
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: Nepatsfan: "Re: I really screwed up group policy this time...!"
- Previous message: R. P.: "Re: I really screwed up this time!"
- In reply to: colinrei: "Re: I really screwed up group policy this time...!"
- Next in thread: Nepatsfan: "Re: I really screwed up group policy this time...!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
