Re: Policy - Admin Locked Out
From: David Brandt [MSFT] (nospam_at_microsoft.com)
Date: 02/06/04
- Next message: Marka2k: "EventID: 13562"
- Previous message: zoomer: "XP Pro not seeing published shares"
- In reply to: John H: "Policy - Admin Locked Out"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 6 Feb 2004 11:29:25 -0600
I'm not sure at what level you created this gpo (domain, OU, etc) but you
can manually edit the contents. When you say you can't access AD to fix,
does that mean that you can't open aduc etc at all of just can't open the
policy. If you can get too aduc, do properties on whatever container you
created the policy (domain, ou, etc) and then gp tab, lighlight the gpo,
then look at the properties of it for the unique name (big number). You can
then find the right policy in explorer in your
sysvol\sysvol\domainanme\policies folder (just FYI - 31Bxxx is default
domain policy and 6ACxxxx is the default DC policy).
When you find the right one, go to machine/microsoft/windowsnt/secedit and
open the GptTmpl.inf file. You can edit these rights here with the articles
below. If multiple dc's, either increase the version number of it or copy
it to the other dc as well so it won't get overwritten again with
replication from other dc.
Not knowing what or where you created the policy, you'll need to look these
over and apply what best applies to your situation, but they all have good
info;
267553 How to Reset User Rights in the Default Domain Controllers Group
Policy
http://support.microsoft.com/?id=267553
243330 Well Known Security Identifiers in Windows 2000
http://support.microsoft.com/?id=243330
-- David Brandt Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send e-mail directly to this alias. This alias is for newsgroup purposes only. "John H" <johnh@fbcc.org> wrote in message news:bef801c3ecc8$26aa86b0$a501280a@phx.gbl... > I totally blundered. Trying to better secure a group of > trainees accounts, I created a new policy and set the Do > Not Override option. Now, the policy is being applied to > me - the Domain Admin. I cannot access AD to fix my self- > created problem. > > I searched for POL files using Windows Explorer and found > newly created entries in the sysvol structure (identified > by date stamp). I also discovered that I can open them in > MS Excel though I did not try to edit as I don't fully > understand the entries. > > Question: If I rename or delete the newly created POL > entries in the sysvol file structure, will that allow me > to logoff, log back on, and regain admin rights? Is that > too easy? If not, then how do I reset my permissions in > order to regain control?
- Next message: Marka2k: "EventID: 13562"
- Previous message: zoomer: "XP Pro not seeing published shares"
- In reply to: John H: "Policy - Admin Locked Out"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
