General discussion


Policy editing

By karl ·
A client of mine has been messing about with the local policy on his member server.
He has turned off inheritance so group policies won't override local policies.
And locked down all the local groups including the administrators group and the domain admins group, has set both of these groups so that they can't logon interactivly.

So I can't logon as an administrator or a domain admin but need to be an administrator to enter the policy editor program to reset everything.

Please dig into this very deeply as I don't want the answer to come back as a re-build.

Many Thanks.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BeerMonster In reply to Policy editing

Firt off, afaik you can't 'block inheritance' on a local policy - not the least reason being that is is always the first policy applied. If the setup is as you state then it sounds like the domain policy either isn't being applied at all OR that no domain policy contains log on locally settings. Remember that if the setting is configured at the local level, and no site \ domain \ ou policy has conflicting settings for those rights, the local policy will apply. create a new ou \ policy on the domain, specifically set the logon right to allow you access, and move your server into the OU - you can choose block inheritance on the new ou to be doubly sure.

If that doesn't work, open gpedit on a domain machine and connect to the server - note you can't change security settings on the server this way. Add a startup script to the machine policy on the server that uses secedit (secedit /? at the command line for details) to apply a security template allowing you access. Either copy the template over or, if you can't access over the network, have the startup script build it by echoing line for line into a template file that you create on the fly. Reboot the machine and that should be it......

Collapse -

by reference In reply to Policy editing

I had to answer this question on a 2003 server test. The answer was to
1. boot up into safe mode with networking (group policies don't get applied when in safe mode)
2. logon as administrator
3. Create a new administrator account (you have to create a new account that won't be affected by group policy restrictions, and you cannot edit group policies while in safe mode)
4. boot back up normally, and login as new administrator account
5. Make the necessary changes to get your admin account logging back in

I have not tried this or know if it will work, like I said it was a question for one of Microsoft's server exams, hope it helps.

Related Discussions

Related Forums