Locked myself out of Group Policy Editor

Solution 1:

Found a workaround that exploits an obvious hole in the 'restricted applications' feature of Group Policy. By simply renaming an executable to the filename of a trusted application, you can bypass the policy.

The workaround I arrived at is below (you would many similar/simpler variants of this to work; they doesn't). Hopefully this helps someone.

  1. Rename a copy of 'cmd.exe' to something permitted e.g. 'chrome.exe'
  2. Also rename a copy of 'mmc.exe'
  3. Use the now-functioning command-line to launch the management console
  4. From the management console, add the Group Policy snap-in
  5. Fix your careless mistake

The management console won't run from explorer once it's been renamed, so the command-line step is necessary.

Solution 2:

I assume you have software restrictions in the User Configuration part of the policy. A few tips here:

1. Copy to another location If you have a restriction based on a path location, you can copy the file that is restricted (mmc.exe?) to another drive (or rename the file) and try running it from there.

2. Cached credentials If you have a computer or laptop where you have previously logged on to, unplug the network cable and logon with cached credentials (if allowed). When you are fully loggedon (you might want to wait for a few minutes) plug in the network cable again. Now you should be able to access the network, but the policies will not yet be applied, so you can access all programs.

3. delete registry keys All these policy restrictions are stored in the registry. As you are an administrator you have permissions to edit the registry, so you should find a way to edit it.

What you will do is go to the following registry key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Safer\CodeIdentifiers\0\paths and delete all keys under this key, leaving the key itself untouched.

If you are not able to start regedit.exe, you might be able to start the following programs:

%windir%\regedit.exe

%windir%\System32\regedt32.exe

%windir%\System32\reg.exe (commandline)

%windir%\SysWOW64\regedit.exe (64bit computer only) 

%windir%\SysWOW64\regedt32.exe (64bit computeronly) 

%windir%\SysWOW64\reg.exe (64bit computer only, commandline)

Otherwise try accessing the registry remotely.

Solution 3:

That sounds like quite the catch 22. It sounds like you mucked with the Default Domain Policy by the sounds of it. If I'm not mistaken you're pretty well locked out because all users are members of the Authenticated Users group and will have the GPO applied unless you removed Authenticated Users from Security Filtering on the GPO (which doesn't sound like the case). There's no user/group combination that I can come up with that will get you back into the GPMC. As far as I can see, there's no way to get back in from the current domain if you've truly locked out your ability to run the GPMC and any other program/executable. I've never been in this scenario so there may be a way around it that I'm not aware of but here's a workaround I've come up with. It sounds a little kooky and slightly convoluted but I think it'll do the trick. Here goes:

  1. Set up a DC in a new Domain/Forest. I'll refer to this Domain/Forest as "new" and I'll refer to the existing Domain/Forest as "old" from this point forward.

  2. Create a trust between the new forest and the old forest. Since you probably can't access the DNS console in the old domain you should be able to edit the hosts file on a DC in the old domain by accessing it from a non-domain joined workstation (provide the appropriate domain credentials when prompted). Add an entry for the new domain (the domain DNS suffix/AD DNS zone name of the new domain) pointing to the ip address of the DC/DNS server in the new domain. Save the file and reboot the old DC to preload the hosts file entry into the DNS cache. This should be a passable substitute for a conditional forwarder from the old Domain/Forest to the new Domain/Forest. Create the corresponding conditional forwarder in the new domain for the old domain. Set up the hosts file and conditional forwarder before trying to create the trust.

  3. Add the Administrator account from the new Domain/Forest to the Builtin Administrators group in the old Domain/Forest by granting the Administrator account in the old Domain/Forest the "Allow log on locally" user right in the Default Domain Controllers GPO in the new Domain/Forest. Run gpupdate /force on the new DC and then use "run as different user" or "run as" (depending on the OS) on the new DC to open ADUC as the Administrator of the old domain and home ADUC to the old domain.

  4. Run GPMC on the DC in the new forest

  5. Home GPMC to the old Domain/Forest

  6. Unlink the Default Domain Policy in the old forest

  7. Log on to a DC in the old forest and run gpupdate /force and then see if you're now able to run GPMC. If so, undo whatever you did to lock yourself out and relink the Default Domain Policy

  8. Reverse the steps from above and then break the forest trust and decommission the new Domain/Forest

Editing the GPO across the Forest trust isn't possible (as far as I know) but unlinking it should be if you follow the steps I've laid out.

Solution 4:

How about using powershell to remove the group policy link. Here's the command reference on technet http://technet.microsoft.com/en-us/library/ee461054.aspx

Tags:

Windows 7

Group Policy

Recent Posts