W2k3 Local Policy editing problem - pls help

Joined
Sep 15, 2011
Messages
13
Reaction score
0
Hello gents,

I have a problem. I have a stand alone W2k3 server that i need to modify local security policys on, i open up the editor and try to remove account from the policys i would like to modify and it allows me to do so. I apply all my changes with no errors.

When i close out the local security policy editor and open it back up all the accounts that i had removed to certian policies have been added back in.

How do i edit the policy without the security groups getting added back into the policy list?

This server is not connected to a domain so there is no superceeding group policy.
I am making the changes from the administrator account.
When i delete the accounts from the users to see if they will then be removed from the policy, they do get removed, however they are replaced by a S- and a bunch of numbers that follow.

Any help or insight would be greatly appriciated.

Thanks,

Mike
 
What are you using to edit the GPO?

If you do not have this machine configured as a Domain Server that runs Active Directory, it will behave as any other Windows system. Each user has its own group policy that is configured within the user's profile. This means you will need to log on as each user, giving admin rights so that you can modify the GP, configure the GP, log out, remove Admin permissions (by logging in as your admin account), and run. This is how I had to do it when tinkering in this manner.

The S-(bunch of numbers) are the security IDs for users. Each user gets a unique security ID that is used for installation and etc. This is why they say that when you remove a user's profile, you cannot get it back. The security key associated with the profile is removed and will not match when randomly created the next time.
 
on the server i log in as admin locally, i open up the local security policy from the administrators tab.

There is no active directory it is a stand alone, and i am trying to modify local computer settings.

so. your saying i have to log on as each individual account that is on each policy and remove the account from the policy then log out change accounts and remove the next account.... this process can't just be done from the admin account?
 
What I found was that I had to create a user and give the user admin rights. This allows you to log in run the GPO editor under that user. Remove/add the controls you wish to use on the user and log out. Remove the admin permissions and give the standard user permission. This will prevent the user from being able to run any admin programs (such as gpedit.msc) to change the GPO configuration and will give you the control you wish to obtain.
 
Sorry,

That did not work. ... i open up the policy editor ... secpol.msc ... edit the policies i want to edit... really the only ones i car about are the Users Right Assignments ... again i change them, close the policy editor, re-open the editor to make sure the changes stayed and it is back to the way it was before i changed it.
 
yes my admin is part of the admin group.

when you click on the properties of the policies you are able to add groups to which you would like to apply the policy to... again when i try to remove groups that are inside the policy ... lets just say for instance Guest is one of the groups added... I go to remove it from the policy... and do so... clicking apply and everything...

I then close the window... i reopen the window... Guest is back inside the policy i just removed it from.
 
Which setting are you attempting to modify? I do not see the option for adding groups when I view mine. Perhaps it is a policy that is used to restrict the guest account. Have you created a test user and added that user to the properties list? Try and remove the test user.

I know that you cannot remove the guest account from the machine, only disable it and rename it. As long as your guest account is disabled, it shouldn't matter that it is there in the property of that policy setting.

http://www.microsoft.com/technet/pr...f91-87c4-4c06-8875-4b0bd3d97134.mspx?mfr=true


*sorry it took me a minute to respond.
 
Last edited:
... start > run > 'gpedit.msc' > Local computer policy > computer configuration > windows settings > security settings > local policies > user rights assignment

Anything thats in there. I know if the account is disable it shouldn't matter but the people that did a security scan for system accreditation care... so being able to remove groups from the security settings that apply to each policy is kinda important... i just can't figure out why it won't let me.

And... yes, i created a test user, ... i was able to add the test user onto one of the policies, but now i'm not able to remove it... i delete the account and i get another security ID pop up inside the security setting for the policy. I now have 3 security ID's inside a policy which i can also not remove.
 
yeah, i can do it on my normal box, but i can't do it on this server... i just don't know why... i even tried deleting the grouppolicy folder from the system32 files to see if i could just wipe it and start over... no luck.


Reinstall isn't an option.

Thanks for your time and help.
 
ok, in that case, try doing a registry search for the S-#'s you have in the box. Those are the security id's that are associate with the users you removed from users/groups. Once the name of the group is gone, the only association the system will have is that security id. If you reg search for the policy you are trying to apply, it should get you close. Within that I expect that you should find the location where it applies the group to that particular policy.

For example, http://msdn.microsoft.com/en-us/library/ms815238.aspx is a reference of Win 2k registry entries for GPO.
 
Last edited:
looking over some of the posts here, i have another thought. Are you logging out after making these changes, and then back in to the admin account?

Theoretically, the GPO should have been applied to at least the editor and you would be able to remove a user/group. However, the GPO doesn't get applied to the user until you log out/in or at least run a gupdate to refresh the GPO policy. Maybe it isn't sticking because it hasn't been refreshed and applied.
 
i'll look into it today, but i don't think thats it, we ded restarted the server a few times yesterday but none seemed to make the changes in policy stick... after running through the internet most of yesterday to try to find a solution... i did come accross a command line code that allows me to clear all of the group policies that have been created and restores it back to default.... so i'm going to give that a whirrl when the customer comes back.

just for your curiosity the command is.

secedit/configure/cfg%windir%\onf\defltbase.inf/dbdefltbase.sdb/verbose
 
hmmm....worth a shot.

you could try to disable the GPO settings and modify them. Perhaps it is because they are in use that you cannot remove them. Right click on Local Computer policy>Properties>Disable computer/user settings. gpupdate or log out/in to refresh.
 
So... i wiped the database and it deleted everything except what i needed it to delete.

tried to disable the gpo like you suggested... which went fine... but it still didn't let me make changes that actually stayed.... it continues to allow me to add things into the policies... just not remove them once i've added them.
 
It is almost like you don't have permission to edit fully as the admin. Have you tried creating another user on the level of admin and attempting the modification that way? While this would only be a test, it could indicate whether or not the admin account is given the correct permissions.

Along that same note, you could try to take ownership of the Windows folder in your machine using the admin account. This should give you full control over the files and, subsequently, the GPO.
 
yeah i tried to create a test account, i still gave the test acount admin privleges, but still couldn't modify it...

i agree about the privleges but its not something passed down from the gpo... and i'm not sure how to modify the privleges to give the ability to modify the local gpo...
 
Back
Top