Sign in with
Sign up | Sign in
Your question

Locked out of Group Policy Snap-In

Tags:
  • Policy
  • Domain
  • Microsoft
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
July 12, 2004 4:47:17 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

One of my technicians edited the default domain policy
instead of one of the user policies and from what I
gather, set the domain GPO to restrict access to only
explicity allowed MMC snap-ins. This wouldn't be so bad
except the group policy snap-in was not explicity
allowed. Even if I log in on the DC as myself (enterprise
admin), I even enabled the administrator account and
couldn't do it there either. This has locked everyone out
of everything that uses MMC (even device manager!)

How can I get around this?

More about : locked group policy snap

July 12, 2004 5:12:50 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I'm not sure if it works like NTFS permissions, but can
you take ownership of the OU or domain and re-establish
the permissions?

Ken


>-----Original Message-----
>One of my technicians edited the default domain policy
>instead of one of the user policies and from what I
>gather, set the domain GPO to restrict access to only
>explicity allowed MMC snap-ins. This wouldn't be so bad
>except the group policy snap-in was not explicity
>allowed. Even if I log in on the DC as myself
(enterprise
>admin), I even enabled the administrator account and
>couldn't do it there either. This has locked everyone
out
>of everything that uses MMC (even device manager!)
>
>How can I get around this?
>.
>
Anonymous
July 12, 2004 5:20:42 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I don't think you understand what I'm saying. In group
policy you can allow or disallow MMC Snap-ins. He changed
the default domain policy to where I can't even ADD the
snap in to an MMC console. My personal MMC that already
had it included (along with ADU/C's and other useful
snapins)

The problem is I can't get IN to the group policy snap-in
to change group policy to allow me into the snap in.


>-----Original Message-----
>I'm not sure if it works like NTFS permissions, but can
>you take ownership of the OU or domain and re-establish
>the permissions?
>
>Ken
>
>
>>-----Original Message-----
>>One of my technicians edited the default domain policy
>>instead of one of the user policies and from what I
>>gather, set the domain GPO to restrict access to only
>>explicity allowed MMC snap-ins. This wouldn't be so bad
>>except the group policy snap-in was not explicity
>>allowed. Even if I log in on the DC as myself
>(enterprise
>>admin), I even enabled the administrator account and
>>couldn't do it there either. This has locked everyone
>out
>>of everything that uses MMC (even device manager!)
>>
>>How can I get around this?
>>.
>>
>.
>
Related resources
Anonymous
July 12, 2004 8:42:37 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If you can still edit the registry (even remotely), you can delete the
following key to remove the policy restrictions for the MMC snap-ins. Then
you should be able to open the group policy snap-in to correct the policy.

HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC

If remotely then it would by HKEY_Users\<SID of the
user>\Software\Policies\Microsoft\MMC

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


"Derik" <derik@discussions.microsoft.com> wrote in message
news:2ad5901c4684d$b45b4f70$a601280a@phx.gbl...
> I don't think you understand what I'm saying. In group
> policy you can allow or disallow MMC Snap-ins. He changed
> the default domain policy to where I can't even ADD the
> snap in to an MMC console. My personal MMC that already
> had it included (along with ADU/C's and other useful
> snapins)
>
> The problem is I can't get IN to the group policy snap-in
> to change group policy to allow me into the snap in.
>
>
> >-----Original Message-----
> >I'm not sure if it works like NTFS permissions, but can
> >you take ownership of the OU or domain and re-establish
> >the permissions?
> >
> >Ken
> >
> >
> >>-----Original Message-----
> >>One of my technicians edited the default domain policy
> >>instead of one of the user policies and from what I
> >>gather, set the domain GPO to restrict access to only
> >>explicity allowed MMC snap-ins. This wouldn't be so bad
> >>except the group policy snap-in was not explicity
> >>allowed. Even if I log in on the DC as myself
> >(enterprise
> >>admin), I even enabled the administrator account and
> >>couldn't do it there either. This has locked everyone
> >out
> >>of everything that uses MMC (even device manager!)
> >>
> >>How can I get around this?
> >>.
> >>
> >.
> >
Anonymous
July 12, 2004 8:42:38 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thank you but I was able to only get into
users/computers , sites and domains so I went in and put
my user account in a new OU and blocked policy
inheritance. But had that not worked or had he not
explicitly allowed those 2 snap ins I would have had to
use your registry key.


>-----Original Message-----
>If you can still edit the registry (even remotely), you
can delete the
>following key to remove the policy restrictions for the
MMC snap-ins. Then
>you should be able to open the group policy snap-in to
correct the policy.
>
> HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
>
>If remotely then it would by HKEY_Users\<SID of the
>user>\Software\Policies\Microsoft\MMC
>
>--
>Gary Mudgett, MCSE, MCSA
>Windows 2000/2003 Directory Services
>
>=====================================================
>When responding to posts, please "Reply to Group" via
>your newsreader so that others may learn and benefit
>from your issue.
>=====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>"Derik" <derik@discussions.microsoft.com> wrote in message
>news:2ad5901c4684d$b45b4f70$a601280a@phx.gbl...
>> I don't think you understand what I'm saying. In group
>> policy you can allow or disallow MMC Snap-ins. He
changed
>> the default domain policy to where I can't even ADD the
>> snap in to an MMC console. My personal MMC that already
>> had it included (along with ADU/C's and other useful
>> snapins)
>>
>> The problem is I can't get IN to the group policy snap-
in
>> to change group policy to allow me into the snap in.
>>
>>
>> >-----Original Message-----
>> >I'm not sure if it works like NTFS permissions, but can
>> >you take ownership of the OU or domain and re-establish
>> >the permissions?
>> >
>> >Ken
>> >
>> >
>> >>-----Original Message-----
>> >>One of my technicians edited the default domain policy
>> >>instead of one of the user policies and from what I
>> >>gather, set the domain GPO to restrict access to only
>> >>explicity allowed MMC snap-ins. This wouldn't be so
bad
>> >>except the group policy snap-in was not explicity
>> >>allowed. Even if I log in on the DC as myself
>> >(enterprise
>> >>admin), I even enabled the administrator account and
>> >>couldn't do it there either. This has locked everyone
>> >out
>> >>of everything that uses MMC (even device manager!)
>> >>
>> >>How can I get around this?
>> >>.
>> >>
>> >.
>> >
>
>
>.
>
December 22, 2009 8:48:20 PM

I had a similar problem on a domain controller which was causing a major headache. Then I found this reference to GPMC scripts meaning I didn't need to run the MMC:

http://wmug.co.uk/blogs/1972/archive/2006/05/01/39.aspx

Use the backup ALL GPOs first and then run the delete script from the command line. You can then import the script again without linking it to an OU and make it safe. If you have any problems, feel free to email me.

Hope this helps!

Daniel
mtechnical IT Support
daniel@mtechnical.co.uk
!