Ok.
I was monkeying with my XP VM trying to put myself in the same boat you were
in.
Yes, call me sick.....but this is how I like to learn the OS.
I got myself pretty locked out. I blocked access to all programs at the
computer level.
I would pass credentials at the logon screen, and it would log me in then
instantly out. No shell loaded.
The firewall was enabled to boot!
Denying (the user) access to grouppolicy folder was not enough in this case.
In hindsight I probably should have denied SYSTEM to this folder.
I ended up using regedit from safe mode command prompt to go to
KHLM\software\policies\windows\safer
I removed the permissions inheritance flag and removed the system account
from the ACL.
I wacked the codeidentifiers key and all its contents. (this is the
registry location where the software restrictions are stored for machine
based software restrictions)
I then rebooted the box.
I finally got logged in.
I took ownership of the grouppolicy folder then reapplied the default parms.
I then wacked the registry.pol file in the system32\grouppolicy\machine
folder.
This is the file that stores the actual software restriction policies for
the machine software restriction settings. It also stores any
administrative template settings. I had none.
I then went into registry and reset inheritance and parms on the 'safer'
key.
I then imported a 'codeidentifiers' subkey from a clean XP system with no
software restriction settings.
System back to normal!
I spent nearly 2 hours on this!...geeze, i need to get a life!
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Glenn L said:
Marks idea is a good one.
If may be easier than this though.
Since you can log into the system at all means you are running an instance
of explorer.exe
You should be able to get to %systemroot%system32 and deny yourself access
to the group policy folder.
If you have problems launching an explorer.exe shell, you might try to
launch it via task manager.
Another method is safe mode command prompt only.
This will bypass the application of the GPOs
you can then get to this folder and deny your user account access.
--
Glenn L
CCNA, MCSE 2000/2003 + Security
Mark Renoden said:
Hi Paul
If you haven't locked it down too much, you may be able to do the
following:
1. Log onto another machine in the same domain.
2. Start -> Run -> MMC.
3. Add the Computer Management snap-in and choose to manage the problem
server.
4. Navigate to Services and set the startup type for Telnet to Manual.
5. Start the Telnet service.
6. At a command prompt, type
telnet <server_name>
7. You should now have command prompt access to the remote machine. Use
a command line like cacls.exe to deny your user account read access to
the %systemroot%\system32\GroupPolicy folder.
HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no
rights.
Paul said:
I need help!!!!
I created a "local" group policy on my windows 2000 terminal server and
went a little crazy with the policy and locked myself out. I can still
login to the system but one of the policies I set was to only run
msaccess.exe.
How and I remove the group policy.
Thanks
Paul
