Re: Domain Controller Security Policy
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 31 Aug 2006 15:58:23 +0100
Hi Herb
I have a third idea but it is difficult to explain and accomplish
and involved booting in DS Restore mode and renaming the
GPO files physically located in SysVol -- very ugly and the
results are not entirely predictable, in fact you might even
end up doing the DCGPOFix anyway if you do this.
Just for curiosity is this solution has to do with manually change the
policy and increase the GPO version?
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:%23HjNImOzGHA.4308@xxxxxxxxxxxxxxxxxxxxxxx
"Mansoor" <Mansoor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2B6362E7-158F-4215-875F-351574679B94@xxxxxxxxxxxxxxxx
One of our administrator have accediantely implemented software
restriction
policy. due to which we are not able to access any .msc tools from start
menu, and there are several exes which we are not able to run from
shortcuts
on servers. now i have tryed to open Domain Security Policy & Domain
Controller Security Policy from C:\windows\system32 folder but i am not
able
to access. Is it there any posibility to implement defualt software
restriction policy without opening Domain Controller Security Policy
Two immediate ideas:
Software Restriction Policies are COMPUTER specific so
install AdminPak.msi (in System32 of the DC) on an XP or
non-DC server and run it from there. This will work if the
so-called 'admin' didn't link the GPO to the DOMAIN but
restricted it to the DC or other more specific OU.
Run DCGPOFix.exe -- this is not an MMC but rather a
command line program which may not be affected by the
Restriction Policy.
I have a third idea but it is difficult to explain and accomplish
and involved booting in DS Restore mode and renaming the
GPO files physically located in SysVol -- very ugly and the
results are not entirely predictable, in fact you might even
end up doing the DCGPOFix anyway if you do this.
Oh, and the so-called 'admin' did not do this "accidently" but
on purpose -- the consequences may have been unintended but
the ACT itself was purposeful because such things do not
happen accidentally (there are too many steps).
Employees who do not understand the serious nature of changes
(they do not understand) to production systems are not (yet)
qualified to BE admins.
The real question is does this admin-wanna-be have enough
potential that he is worth further training or should he be
let go....?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Re: Domain Controller Security Policy
- From: Herb Martin
- Re: Domain Controller Security Policy
- References:
- Re: Domain Controller Security Policy
- From: Herb Martin
- Re: Domain Controller Security Policy
- Prev by Date: Re: Remote Manage.
- Next by Date: Re: what value to specify as "Unique X.500 Object ID" for my custom attribute
- Previous by thread: Re: Domain Controller Security Policy
- Next by thread: Re: Domain Controller Security Policy
- Index(es):
Relevant Pages
|
