TOTALLY LOCKED OUT OF DOMAIN. HELP!!!!!

[Jerry]

I was thrown in to a bad situation today. I am on a 2
server domain that myself and another tech is setting up.
He was messing with group policy today and locked most
everything out domain wide. As the Domain admin I can not
access MMC in author mode nor can I access any of the
plug-ins to undo what he has done. Is there a way short
of formatting and starting over I can delete all group
policy domain wide and start over. As a last resort I
could even dcpromo the 2 servers back to single servers
and recreate the domain, but I am not sure if even this
will work.

PLEASE HELP!!!

Jerry

 

[Phil Kirchgessner]

Read article 263166 then article 294257. Basically, you
reset the registry key mentioned in article 263166 to
allow you temporary access to snap-ins, then switch to
article 294257. On the server with the PDC emulator role
use adsiedit.msc (you may have to install Support Tools
form the 2000 CDROM) to find the GUID of the errant
Policy, copy the GUID down on a piece of paper. then open
a command prompt and move to the Support Tools directory
(usually c:\Program Files\Support Tools), Use DSACLS as
mentioned in article 294257 section 5 to grant access to
domain admins, then opent he Policy object and grant
admins full permissions on the Policy oblect.