Please Help! Windows 2000 GPO Local Mess

[Guest]

I have recently taken on a client whom said they have small problems. I have
come to find out, by connfession, the mistake made was in the Group Policy
editor the default local computer policy has been set to "Restrict users to
the explicitly permitted list of snap-ins" and no snap-ins have been defined,
hence locking all snap-ins including gpedit.msc. Sytem manager and active
directory and adsiedit have also been locked. I am wondering if anyone knows
a way to reset all gpo's to the default other than with an in-place upgrade
or reinstall. I cannot use the method to do this through the registry editor
since I am locked out of this console as well. Inside the sysvol I have found
only a limited number of settings I can reset dealing with password wolicy
and kerberos, but nothing from the administrative templates.

I have realized this company not only has a misconfiguration on the dc but
the domain name is also not anything near proper (ie. "company1.company2").
There is also another server possibly a previous one running as a dc in its
own domain ("company2.salescenter"). It has users in active directory and I
have all access to its consoles. could I possibly push local policy from this
second dc to the first one even though they are in different domains? Or am i
stuck with a reload and disaster recovery after calling microsoft for too
much money?

Any help will be much apriciated

 

[Andrew Mitchell]

I have recently taken on a client whom said they have small problems. I
have come to find out, by connfession, the mistake made was in the Group
Policy editor the default local computer policy has been set to
"Restrict users to the explicitly permitted list of snap-ins" and no
snap-ins have been defined,

What do you mean by 'default local computer policy'? Is this a local policy
or an AD group policy?
If it's only a local policy just add another computer to the domain and
connect to the affected workstation from there and change it back.

hence locking all snap-ins including
gpedit.msc. Sytem manager and active directory and adsiedit have also
been locked. I am wondering if anyone knows a way to reset all gpo's to
the default other than with an in-place upgrade or reinstall. I cannot
use the method to do this through the registry editor since I am locked
out of this console as well. Inside the sysvol I have found only a
limited number of settings I can reset dealing with password wolicy and
kerberos, but nothing from the administrative templates.

I have realized this company not only has a misconfiguration on the dc
but the domain name is also not anything near proper (ie.
"company1.company2"). There is also another server possibly a previous
one running as a dc in its own domain ("company2.salescenter"). It has
users in active directory and I have all access to its consoles. could I
possibly push local policy from this second dc to the first one even
though they are in different domains? Or am i stuck with a reload and
disaster recovery after calling microsoft for too much money?

Any help will be much apriciated

If it's an AD group policy problem try RecreateDefPol.exe
http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-
4bb5-ab2a-976d6873129d&DisplayLang=en

or

http://tinyurl.com/3yyr3

"Overview
RecreateDefPol.exe is a tool developed for the restoration of the Default
Domain and Default Domain Controllers policy files, in case of accidental
deletion. This tool is for use exclusively on Windows 2000 Server, Advanced
Server, and DataCenter Server. Do not use this tool on Windows Server 2003;
use Dcgpofix.exe instead (included in Windows Server 2003).

This tool is intended for use only in disaster recovery situations, where
either the Default Domain Policy, the Default Domain Controllers Policy, or
both have been damaged or deleted, and no other backup is available. This
should be considered a tool of last resort. "

 

[Guest]

Thank you Andy, I have aquired a copy of RecreateDefPol.exe and have just
about completed the setup of my test domain. Thank you for your reply.
Frank

 

[Guest]

Well I tried RecreateDefPol.exe and I can't seem to figure out how it works.
In a test network I set up a windows 2000 advanced server w/ AD. Start, run,
gpedit.msc, under administrative templates I disabled the help link from the
start menu. Then I ran RecreateDefPol.exe from the root directory of the
windows 2000 AS installation. I was prompted with an alert informing me that
I can only run this on Windows 200 machines and I will have to log off and
back on as theadministrator I want to make the EFS Recovery Agent. Finnally I
was given the last alert informing me the procedure was complete and I have
to log of and back on. I logged off and back on as the Administrator
(Built-in). Nothing happened, no prompts, no wizards, no windows... I went to
the support database by microsoft to find some procedure on using
RecreateDefPol.exe but I found nothing. On the page I downloaded the
application from I found no Instructions on using the software. And I found
no mention of the EFS Recovery Agent in the support database...
thanks Frank

 

[Guest]

By local computer policy I mean local computer policy. start, run, gpedit.msc.
From what I have found elsewhere on the net I find that recreatedefpol is
for Domain and Domain Controller Security Policy. And I know in computer
management you can right-click connect to another compter but I cant seem to
do this with gpedit.msc to edit local computer policy of another comuter.
sorry for the double post
frank

 

[Guest]

well i tried it on a test server, this is how it went down...
1) Start > Run > "gpedit.msc"
Local Computer Policy > User Config > Admin Templates > Windows
Components > MMC
2) Restrict users to the explicitly permitted list of snap-ins = enabled
3) Close gpedit.msc
4) Log out, log in

SUPRISE NO ADMINISTRATIVE CONTROL WHATSOEVER!
_________________

5) /%systemroot%/system32/grouppolicy/user/regis1)try.pol
saved to another file name
6) /%systemroot%/system32/grouppolicy/machine/registry.pol
saved to another file name

7) Run RecreateDefPol.exe, Done
8) Log out, log in

Settings still in place
no way to get back user/registry.pol
_________________

Before this I tried this method on different setting in the group policy
editer.
Performed the same procedure except after step 8 I:
9) Start > Run > "gpedit.msc" (which WILL open since snapins is not disabled)
-=NOTE: At this point all previously configured settings in gpedit.msc are
not "not configured", just like Default.
10) Change anything and change it right back
11) Now, */User/Registry.pol and */Machine/Registry.pol are created.
12) With settings still in effect I log out, log in
Everything is happy in windows 2000 land.
_________________

Unfortunatly this is not the case in Frank land because the customer
computer continues to "possibly" have "Restrict users to the explicitly
permitted list of snap-ins" = enabled.

Thanks,
Frank
10)

 

[Andrew Mitchell]

By local computer policy I mean local computer policy. start, run,
gpedit.msc.

Ok. All you need to do is log in to another computer that is a member of the
domain, (install adminpak,msi if neccesary), run AD Users and Computers, find
the OU that contains that affected computer (which I think is the DC.....)
and apply an AD Group Policy that will over-ride the local policy.