Locked out of Group Policy Snap-In

  • Thread starter Thread starter Derik
  • Start date Start date
D

Derik

One of my technicians edited the default domain policy
instead of one of the user policies and from what I
gather, set the domain GPO to restrict access to only
explicity allowed MMC snap-ins. This wouldn't be so bad
except the group policy snap-in was not explicity
allowed. Even if I log in on the DC as myself (enterprise
admin), I even enabled the administrator account and
couldn't do it there either. This has locked everyone out
of everything that uses MMC (even device manager!)

How can I get around this?
 
I'm not sure if it works like NTFS permissions, but can
you take ownership of the OU or domain and re-establish
the permissions?

Ken
 
I don't think you understand what I'm saying. In group
policy you can allow or disallow MMC Snap-ins. He changed
the default domain policy to where I can't even ADD the
snap in to an MMC console. My personal MMC that already
had it included (along with ADU/C's and other useful
snapins)

The problem is I can't get IN to the group policy snap-in
to change group policy to allow me into the snap in.
 
If you can still edit the registry (even remotely), you can delete the
following key to remove the policy restrictions for the MMC snap-ins. Then
you should be able to open the group policy snap-in to correct the policy.

HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC

If remotely then it would by HKEY_Users\<SID of the
user>\Software\Policies\Microsoft\MMC

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thank you but I was able to only get into
users/computers , sites and domains so I went in and put
my user account in a new OU and blocked policy
inheritance. But had that not worked or had he not
explicitly allowed those 2 snap ins I would have had to
use your registry key.
 
Back
Top