Re: Please Help! Windows 2000 GPO Local Mess
- From: Andrew Mitchell <amitchell@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 02 Aug 2005 07:17:40 -0700
"=?Utf-8?B?b2ZhbmdlZDE=?=" <ofanged1@xxxxxxxxxxxxxxxxxxxxxxxxx> said
> I have recently taken on a client whom said they have small problems. I
> have come to find out, by connfession, the mistake made was in the Group
> Policy editor the default local computer policy has been set to
> "Restrict users to the explicitly permitted list of snap-ins" and no
> snap-ins have been defined,
What do you mean by 'default local computer policy'? Is this a local policy
or an AD group policy?
If it's only a local policy just add another computer to the domain and
connect to the affected workstation from there and change it back.
> hence locking all snap-ins including
> gpedit.msc. Sytem manager and active directory and adsiedit have also
> been locked. I am wondering if anyone knows a way to reset all gpo's to
> the default other than with an in-place upgrade or reinstall. I cannot
> use the method to do this through the registry editor since I am locked
> out of this console as well. Inside the sysvol I have found only a
> limited number of settings I can reset dealing with password wolicy and
> kerberos, but nothing from the administrative templates.
> I have realized this company not only has a misconfiguration on the dc
> but the domain name is also not anything near proper (ie.
> "company1.company2"). There is also another server possibly a previous
> one running as a dc in its own domain ("company2.salescenter"). It has
> users in active directory and I have all access to its consoles. could I
> possibly push local policy from this second dc to the first one even
> though they are in different domains? Or am i stuck with a reload and
> disaster recovery after calling microsoft for too much money?
> Any help will be much apriciated
If it's an AD group policy problem try RecreateDefPol.exe
RecreateDefPol.exe is a tool developed for the restoration of the Default
Domain and Default Domain Controllers policy files, in case of accidental
deletion. This tool is for use exclusively on Windows 2000 Server, Advanced
Server, and DataCenter Server. Do not use this tool on Windows Server 2003;
use Dcgpofix.exe instead (included in Windows Server 2003).
This tool is intended for use only in disaster recovery situations, where
either the Default Domain Policy, the Default Domain Controllers Policy, or
both have been damaged or deleted, and no other backup is available. This
should be considered a tool of last resort. "
- Prev by Date: Re: Stop computers connecting to other domains and networks
- Next by Date: Allow domain user to change local permissions on domain computers, without have full right on domain controllers?
- Previous by thread: Set Wallpaper using %logonserver% in policies
- Next by thread: Re: Please Help! Windows 2000 GPO Local Mess