Sign in with
Sign up | Sign in
Your question

Group Policy Locked Out

Last response: in Windows XP
Share
Anonymous
July 13, 2005 5:49:07 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello:

Somehow, while trying to modify a group policy on a workstation, I set the
policy to also lock out the administrator. One of the policies enforced was
to restrict running explorer. Since I can no longer run Explorer, I can no
longer access C:\windows\system32\group policy folder. Is there any way
around this or am I going to have to reinstall?

More about : group policy locked

Anonymous
July 13, 2005 10:30:36 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Group Policies on a stand alone computer apply to all users.

1) Use System Restore to restore back to a point before you made the change.

2) If you haven't locked out Regedit, go to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Delete the value in the right pane that references Explorer.exe.

3) In Regedit, go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Locate the DisallowRun value in the right pane and change it to 0 (zero)

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Rob Power" <Rob Power@discussions.microsoft.com> wrote in message news:2CDAEFD3-A5B7-494C-A909-4F99A2B2CBC3@microsoft.com...
> Hello:
>
> Somehow, while trying to modify a group policy on a workstation, I set the
> policy to also lock out the administrator. One of the policies enforced was
> to restrict running explorer. Since I can no longer run Explorer, I can no
> longer access C:\windows\system32\group policy folder. Is there any way
> around this or am I going to have to reinstall?
Anonymous
July 22, 2005 1:25:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Doug:

Thanks for the help and sorry about the slow response. (The customer is some
distance away and I can't get there on a regular basis. Anywaym, what you
suggested did not work. The guy that set up the machine disabled the system
restore (I don't know why). When I tried to edit the registry, the keys you
referenced do not exist. Could it be because the computer also connects to a
domain? If so, do you know of a way to just delete the entire policy from the
machine so I can get back into it?

Regards,

Rob

"Doug Knox MS-MVP" wrote:

> Group Policies on a stand alone computer apply to all users.
>
> 1) Use System Restore to restore back to a point before you made the change.
>
> 2) If you haven't locked out Regedit, go to
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
>
> Delete the value in the right pane that references Explorer.exe.
>
> 3) In Regedit, go to:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>
> Locate the DisallowRun value in the right pane and change it to 0 (zero)
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Rob Power" <Rob Power@discussions.microsoft.com> wrote in message news:2CDAEFD3-A5B7-494C-A909-4F99A2B2CBC3@microsoft.com...
> > Hello:
> >
> > Somehow, while trying to modify a group policy on a workstation, I set the
> > policy to also lock out the administrator. One of the policies enforced was
> > to restrict running explorer. Since I can no longer run Explorer, I can no
> > longer access C:\windows\system32\group policy folder. Is there any way
> > around this or am I going to have to reinstall?
>
Related resources
Anonymous
July 25, 2005 4:06:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Can anyone help with this? I'm out of ideas. I can get into the registry, but
i'm afraid to just shash and burn and would appreciated some guidance as to
which registry keys I can safely delete to disable group policies on this
computer.

Thanks,

Rob Power

"Rob Power" wrote:

> Doug:
>
> Thanks for the help and sorry about the slow response. (The customer is some
> distance away and I can't get there on a regular basis. Anywaym, what you
> suggested did not work. The guy that set up the machine disabled the system
> restore (I don't know why). When I tried to edit the registry, the keys you
> referenced do not exist. Could it be because the computer also connects to a
> domain? If so, do you know of a way to just delete the entire policy from the
> machine so I can get back into it?
>
> Regards,
>
> Rob
>
> "Doug Knox MS-MVP" wrote:
>
> > Group Policies on a stand alone computer apply to all users.
> >
> > 1) Use System Restore to restore back to a point before you made the change.
> >
> > 2) If you haven't locked out Regedit, go to
> >
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
> >
> > Delete the value in the right pane that references Explorer.exe.
> >
> > 3) In Regedit, go to:
> >
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
> >
> > Locate the DisallowRun value in the right pane and change it to 0 (zero)
> >
> > --
> > Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> > Win 95/98/Me/XP Tweaks and Fixes
> > http://www.dougknox.com
> > --------------------------------
> > Per user Group Policy Restrictions for XP Home and XP Pro
> > http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> > --------------------------------
> > Please reply only to the newsgroup so all may benefit.
> > Unsolicited e-mail is not answered.
> >
> > "Rob Power" <Rob Power@discussions.microsoft.com> wrote in message news:2CDAEFD3-A5B7-494C-A909-4F99A2B2CBC3@microsoft.com...
> > > Hello:
> > >
> > > Somehow, while trying to modify a group policy on a workstation, I set the
> > > policy to also lock out the administrator. One of the policies enforced was
> > > to restrict running explorer. Since I can no longer run Explorer, I can no
> > > longer access C:\windows\system32\group policy folder. Is there any way
> > > around this or am I going to have to reinstall?
> >
Anonymous
July 25, 2005 11:38:17 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Rob,

Sorry, I've been out of town. If the system in question is on a LAN, you can always log on to another computer, with an Administrator level account that has access to the file system of the affected machine. If necessary, use the hidden Administrative Shares (\\machinename\C$) to access the C: drive. You should then be able to access the group policy folder.

Another alternative is Bart's PE. This utility creates a bootable "mini" XP, that will allow to run Explorer and access the file system, to do whatever you need there.

I don't know what effect putting local policies in place would have, if there are domain policies already in place. My thought would be that the domain policy would override local policy, but this may not be true in all cases.
--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Rob Power" <RobPower@discussions.microsoft.com> wrote in message news:66074666-9CD4-492F-8D99-0C5494E0A275@microsoft.com...
> Doug:
>
> Thanks for the help and sorry about the slow response. (The customer is some
> distance away and I can't get there on a regular basis. Anywaym, what you
> suggested did not work. The guy that set up the machine disabled the system
> restore (I don't know why). When I tried to edit the registry, the keys you
> referenced do not exist. Could it be because the computer also connects to a
> domain? If so, do you know of a way to just delete the entire policy from the
> machine so I can get back into it?
>
> Regards,
>
> Rob
>
> "Doug Knox MS-MVP" wrote:
>
>> Group Policies on a stand alone computer apply to all users.
>>
>> 1) Use System Restore to restore back to a point before you made the change.
>>
>> 2) If you haven't locked out Regedit, go to
>>
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
>>
>> Delete the value in the right pane that references Explorer.exe.
>>
>> 3) In Regedit, go to:
>>
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>>
>> Locate the DisallowRun value in the right pane and change it to 0 (zero)
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "Rob Power" <Rob Power@discussions.microsoft.com> wrote in message news:2CDAEFD3-A5B7-494C-A909-4F99A2B2CBC3@microsoft.com...
>> > Hello:
>> >
>> > Somehow, while trying to modify a group policy on a workstation, I set the
>> > policy to also lock out the administrator. One of the policies enforced was
>> > to restrict running explorer. Since I can no longer run Explorer, I can no
>> > longer access C:\windows\system32\group policy folder. Is there any way
>> > around this or am I going to have to reinstall?
>>
Anonymous
July 25, 2005 11:38:44 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Sorry, forgot the link to Bart's PE

http://www.nu2.nu/pebuilder/

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Rob Power" <RobPower@discussions.microsoft.com> wrote in message news:66074666-9CD4-492F-8D99-0C5494E0A275@microsoft.com...
> Doug:
>
> Thanks for the help and sorry about the slow response. (The customer is some
> distance away and I can't get there on a regular basis. Anywaym, what you
> suggested did not work. The guy that set up the machine disabled the system
> restore (I don't know why). When I tried to edit the registry, the keys you
> referenced do not exist. Could it be because the computer also connects to a
> domain? If so, do you know of a way to just delete the entire policy from the
> machine so I can get back into it?
>
> Regards,
>
> Rob
>
> "Doug Knox MS-MVP" wrote:
>
>> Group Policies on a stand alone computer apply to all users.
>>
>> 1) Use System Restore to restore back to a point before you made the change.
>>
>> 2) If you haven't locked out Regedit, go to
>>
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
>>
>> Delete the value in the right pane that references Explorer.exe.
>>
>> 3) In Regedit, go to:
>>
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>>
>> Locate the DisallowRun value in the right pane and change it to 0 (zero)
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "Rob Power" <Rob Power@discussions.microsoft.com> wrote in message news:2CDAEFD3-A5B7-494C-A909-4F99A2B2CBC3@microsoft.com...
>> > Hello:
>> >
>> > Somehow, while trying to modify a group policy on a workstation, I set the
>> > policy to also lock out the administrator. One of the policies enforced was
>> > to restrict running explorer. Since I can no longer run Explorer, I can no
>> > longer access C:\windows\system32\group policy folder. Is there any way
>> > around this or am I going to have to reinstall?
>>
!