Admin account restricted access after GPO on local machine...

[daydreamn]

Cleaned spyware off XP Pro SP2 finally then decided to set policy to restrict users of local machine from getting to places they could get downloaded again or let them install. Unfortunately, when signed in as a user with admin access, the policy was somehow applied to the admin rights as well and now, even though signed in as admin, pretty much everything is restricted. When logged in as administrator with correct password, can't copy anything, can't see or change policies, no networking, very little access to anything, and other accounts the same way. Also, same restrictions in Safe mode. This can't be an original problem, but I definitely cannot find any info on how (if) it can be corrected or restored.

Anyone? Any fix without reinstall? Need much of the configuration and info on that system...very important personal and business information.

Still nothing working. Anyone else have any ideas?

Tried new user account and new admin, but all admin privs are not available. Cannot move any files on hard drive. Cannot access properties of ANY object in MMC in standard mode; advanced is blue-screened. Cannot start RPC in services (or any services for that matter) because get error message that there is a software restiriction policy preventing. Am signed on with administrator account and password but still none of the above functionaltiy enabled, nor is it on any other user account.

HELP????



System:

P4/512MB memory
Win XP Pro SP2
HP CD Writer
Integrated Graphics
AdAware
Spybot
Symantec AV

[animesh]

wat bout makin a new admin a/c n tryin with that?? r hav u add restrictions for all new users also?

u can get in2 the windows xp admin a/c by pressing Ctrl+Alt+Delete twice at the welcome screen...

[daydreamn]

Quote:

Originally Posted by animesh

wat bout makin a new admin a/c n tryin with that?? r hav u add restrictions for all new users also?

u can get in2 the windows xp admin a/c by pressing Ctrl+Alt+Delete twice at the welcome screen...

Thanks for the response. Yeah, you know, I tried that. I can make a new a/c logged in as admin, and assign it admin priv., but that new a/c has same restrictions. Stands to reason I guess. Guess since part of admin grp, assumes the same restriced policy. Is there any way to del. a pol from command line in safe mode, etc. and start all over?

Increasingly frustrating.

Thanks,

KEB

[daydreamn]

Anyone? Any fix without reinstall? Need much of the configuration and info on that system...very important personal and business information.

Still nothing working. Anyone else have any ideas?

Tried new user account and new admin, but all admin privs are not available. Cannot move any files on hard drive. Cannot access properties of ANY object in MMC in standard mode; advanced is blue-screened. Cannot start RPC in services (or any services for that matter) because get error message that there is a software restiriction policy preventing. Am signed on with administrator account and password but still none of the above functionaltiy enabled, nor is it on any other user account.

HELP????



System:

P4/512MB memory
Win XP Pro SP2
HP CD Writer
Integrated Graphics
AdAware
Spybot
Symantec AV


R

Quote:

Originally Posted by daydreamn

Cleaned spyware off XP Pro SP2 finally then decided to set policy to restrict users of local machine from getting to places they could get downloaded again or let them install. Unfortunately, when signed in as a user with admin access, the policy was somehow applied to the admin rights as well and now, even though signed in as admin, pretty much everything is restricted. When logged in as administrator with correct password, can't copy anything, can't see or change policies, no networking, very little access to anything, and other accounts the same way. Also, same restrictions in Safe mode. This can't be an original problem, but I definitely cannot find any info on how (if) it can be corrected or restored.

[chillin]

Don't sweat it. You just need to change how you applied the GPO.

You probably made the changes to the Default Domain Policy, what you need to do is create a new OU (organizational unit) and then move all the users to that folder and create a GPO (perhaps called Restricted_Users) for that OU and make add the restriction settings to that GPO. Make sure you don't put the Administrator in that OU and you'll be all set.

If you were making changes to the Workstation portion of the GPOs then you'll need to move the workstations from the "Computers" OU to the new OU (or a sub OU of it) for those to take effect.

Now you'll need to go back and remove all the settings you added to the Default Domain Policy (or do this first) and you will be all set when you login in as Domain Admin (or local Admin). If you are ambitious you can import and export the GPO's, but you'll need to add the XP SP2 features to your GPO configuration, which I presume you already did, and then use the Group Policy Management MMC plug-in from the workstation. Open the appropriate forest and domain and then to to the "Group Policy Objects" folder and "Backup" then "Restore" the GPO settings to the right OU.
Here's a good article on the topic: http://emea.windowsitpro.com/Windows...588/43588.html


By the way, if you do reinstall Windows on the workstation you'll be very frustrated when you rejoin the domain and the same GPOs are still in effect ... not to mention the fact that this same problem will appear on all workstations in the domain.

Hope this helps.

[daydreamn]

I suspected it had to do with OUs as I had seen that mentioned in my searches. Now, the question is, how do I do all this withOUT GPMC? I'm not at the affected machine until later this evening so haven't tried it yet, but I KNOW I don't have internet access rights (because can't start RPC) and it is highly likely I won't have ability to install anything (can't copy files/folders, etc.) so may not be able to even burn a cd on another machine and install to the affected one.

Thanks for your help. Hopefully on a path to recovery here...only 11 steps more

dd'n

Quote:

Originally Posted by chillin

Don't sweat it. You just need to change how you applied the GPO.

You probably made the changes to the Default Domain Policy, what you need to do is create a new OU (organizational unit) and then move all the users to that folder and create a GPO (perhaps called Restricted_Users) for that OU and make add the restriction settings to that GPO. Make sure you don't put the Administrator in that OU and you'll be all set.

If you were making changes to the Workstation portion of the GPOs then you'll need to move the workstations from the "Computers" OU to the new OU (or a sub OU of it) for those to take effect.

Now you'll need to go back and remove all the settings you added to the Default Domain Policy (or do this first) and you will be all set when you login in as Domain Admin (or local Admin). If you are ambitious you can import and export the GPO's, but you'll need to add the XP SP2 features to your GPO configuration, which I presume you already did, and then use the Group Policy Management MMC plug-in from the workstation. Open the appropriate forest and domain and then to to the "Group Policy Objects" folder and "Backup" then "Restore" the GPO settings to the right OU.
Here's a good article on the topic: http://emea.windowsitpro.com/Windows...588/43588.html


By the way, if you do reinstall Windows on the workstation you'll be very frustrated when you rejoin the domain and the same GPOs are still in effect ... not to mention the fact that this same problem will appear on all workstations in the domain.

Hope this helps.

[daydreamn]

As I suspected, I cannot install the GPMC msi because of software restriction policies applied, even logged on as admin. How would I go about this without the console (i.e. from the command line)? Or how can I totally reset it altogether back to defaults so I can get admin privs back?

dd'n

Quote:

Originally Posted by daydreamn

I suspected it had to do with OUs as I had seen that mentioned in my searches. Now, the question is, how do I do all this withOUT GPMC? I'm not at the affected machine until later this evening so haven't tried it yet, but I KNOW I don't have internet access rights (because can't start RPC) and it is highly likely I won't have ability to install anything (can't copy files/folders, etc.) so may not be able to even burn a cd on another machine and install to the affected one.

Thanks for your help. Hopefully on a path to recovery here...only 11 steps more

dd'n

[chillin]

Daydream,

Did you make the changes where I first thought (in the domain policy) or did you open the local security policy editor to make the changes?

[daydreamn]

chillin...thanks again for responding.

Well, basically, after I got rid of spyware/adware, everything was working fine.

I logged in as an alternate login with full admin rights (so as NOT to interfere with the Admin login, go figure).

I started MMC\Local Computer Policy\Computer Config\Windows Settings\Security Settings….

and basically set many of the settings for system objects, network security and access, devices etc. so that I thought only admin privs would have access to them. I sure I may have also played with User Rights Assignment and Software settings too, but really can't remember all I tweaked. It was my intention to set everyone without admin access (my family's user accounts) to not be able to download, run scripts ActiveX or Com objects, etc. so that I could always control that. At that point, everything, even my root Admin account (which I had password protected and can still access both in normal and safe mode) stopped giving access to copying, moving, installing, editing GPOs, no network access, system restore, etc.

So, now I'm screwed because I can't change anything back. Basically, I want to default back to admin full rights; defacto setting I would presume, for Admin users when a fresh install happens, but want to keep registry intact and programs installed, data files working on, network mappings, etc. For the life of me, I can't find anyone who can answer how to do this.

ty,

dd'n

Quote:

Originally Posted by chillin

Daydream,

Did you make the changes where I first thought (in the domain policy) or did you open the local security policy editor to make the changes?

[daydreamn]

Because I made these changes as a member of the admin group in the local group policy, does that make it permanent or is there a way out?

dd'n

[daydreamn]

This one must really have stumped folks. I can't find a single person, even experts, that know how to overcome this. Any help still appreciated. Still not resolved.

dd'n

Quote:

Originally Posted by daydreamn

Cleaned spyware off XP Pro SP2 finally then decided to set policy to restrict users of local machine from getting to places they could get downloaded again or let them install. Unfortunately, when signed in as a user with admin access, the policy was somehow applied to the admin rights as well and now, even though signed in as admin, pretty much everything is restricted. When logged in as administrator with correct password, can't copy anything, can't see or change policies, no networking, very little access to anything, and other accounts the same way. Also, same restrictions in Safe mode. This can't be an original problem, but I definitely cannot find any info on how (if) it can be corrected or restored.

Anyone? Any fix without reinstall? Need much of the configuration and info on that system...very important personal and business information.

Still nothing working. Anyone else have any ideas?

Tried new user account and new admin, but all admin privs are not available. Cannot move any files on hard drive. Cannot access properties of ANY object in MMC in standard mode; advanced is blue-screened. Cannot start RPC in services (or any services for that matter) because get error message that there is a software restiriction policy preventing. Am signed on with administrator account and password but still none of the above functionaltiy enabled, nor is it on any other user account.

HELP????



System:

P4/512MB memory
Win XP Pro SP2
HP CD Writer
Integrated Graphics
AdAware
Spybot
Symantec AV

[Lokz]

Get a linux distribution live cd, load from cd, then unmount your hdd and copy original SAM/user privelege files/etc. Should work.