Disabled mmc using default domain policy

  • Thread starter Thread starter Fran King
  • Start date Start date
F

Fran King

I've disabled the use of mmc and run facility using the
default domain policy - not thinking it would apply to the
Administrators group - which obviously it does.

I can't access 'active directory users and computers' to
change the policy back.

Any ideas how to solve this without re-building the server?

Could I boot into safe mode and do something there?

Is there a way of creating a new administrators account
that is not subject to this policy?

Any help much appreciated

Fran
 
As you have now learned, It's not a good idea to edit the
default domain policy! I always setup an OU below the root
and work from there, leaving an administ96587 account in
the root.

Any new user you create will be placed under the tree and
thus refused access to the mmc snap-in. If you need to
save that tree, you can probably install a Windows 2000
domain controller on a new machine, then access the other
tree through there, and of course on the new server you
would have access to the MMC. Just a thought. Send me an
email and let me know how it turns out.
 
The easiest solution to this is to use "gpedit.msc gpcomputer:
xxx.xxx.xxx.xxx" where XXX is the IP address or full domain name
(dc1.mydomain.com) from another computer on the network (doesn't even have
to be in the domain as long as you have an account on it with a matching
username/password, i.e, change the password of the Administrator account on
the PC you're working from or use the username/password of another user with
admin priveleges)

I managed to lock myself out of MMC yesterday and used that to correct the
problem.

Let me know how it works for you!
 
Back
Top