Policy - Admin Locked Out

  • Thread starter Thread starter John H
  • Start date Start date
J

John H

I totally blundered. Trying to better secure a group of
trainees accounts, I created a new policy and set the Do
Not Override option. Now, the policy is being applied to
me - the Domain Admin. I cannot access AD to fix my self-
created problem.

I searched for POL files using Windows Explorer and found
newly created entries in the sysvol structure (identified
by date stamp). I also discovered that I can open them in
MS Excel though I did not try to edit as I don't fully
understand the entries.

Question: If I rename or delete the newly created POL
entries in the sysvol file structure, will that allow me
to logoff, log back on, and regain admin rights? Is that
too easy? If not, then how do I reset my permissions in
order to regain control?
 
I'm not sure at what level you created this gpo (domain, OU, etc) but you
can manually edit the contents. When you say you can't access AD to fix,
does that mean that you can't open aduc etc at all of just can't open the
policy. If you can get too aduc, do properties on whatever container you
created the policy (domain, ou, etc) and then gp tab, lighlight the gpo,
then look at the properties of it for the unique name (big number). You can
then find the right policy in explorer in your
sysvol\sysvol\domainanme\policies folder (just FYI - 31Bxxx is default
domain policy and 6ACxxxx is the default DC policy).
When you find the right one, go to machine/microsoft/windowsnt/secedit and
open the GptTmpl.inf file. You can edit these rights here with the articles
below. If multiple dc's, either increase the version number of it or copy
it to the other dc as well so it won't get overwritten again with
replication from other dc.
Not knowing what or where you created the policy, you'll need to look these
over and apply what best applies to your situation, but they all have good
info;

267553 How to Reset User Rights in the Default Domain Controllers Group
Policy
http://support.microsoft.com/?id=267553

243330 Well Known Security Identifiers in Windows 2000
http://support.microsoft.com/?id=243330

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Back
Top