Re: Domain Controller Security Policy
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 31 Aug 2006 17:13:14 +0100
ahh.. Ok.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:OLAQkYRzGHA.4576@xxxxxxxxxxxxxxxxxxxxxxx
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:OaLhs3QzGHA.5072@xxxxxxxxxxxxxxxxxxxxxxx
Hi Herb
I have a third idea but it is difficult to explain and accomplish
and involved booting in DS Restore mode and renaming the
GPO files physically located in SysVol -- very ugly and the
results are not entirely predictable, in fact you might even
end up doing the DCGPOFix anyway if you do this.
Just for curiosity is this solution has to do with manually change the
policy and increase the GPO version?
No, that isn't what *I* had in mind. Rather just disabling
the GPO by making it's file name mismatch what is located
in AD.
Remember I said it wasn't pretty. <grin>
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:%23HjNImOzGHA.4308@xxxxxxxxxxxxxxxxxxxxxxx
"Mansoor" <Mansoor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2B6362E7-158F-4215-875F-351574679B94@xxxxxxxxxxxxxxxx
One of our administrator have accediantely implemented software
restriction
policy. due to which we are not able to access any .msc tools from
start
menu, and there are several exes which we are not able to run from
shortcuts
on servers. now i have tryed to open Domain Security Policy & Domain
Controller Security Policy from C:\windows\system32 folder but i am not
able
to access. Is it there any posibility to implement defualt software
restriction policy without opening Domain Controller Security Policy
Two immediate ideas:
Software Restriction Policies are COMPUTER specific so
install AdminPak.msi (in System32 of the DC) on an XP or
non-DC server and run it from there. This will work if the
so-called 'admin' didn't link the GPO to the DOMAIN but
restricted it to the DC or other more specific OU.
Run DCGPOFix.exe -- this is not an MMC but rather a
command line program which may not be affected by the
Restriction Policy.
I have a third idea but it is difficult to explain and accomplish
and involved booting in DS Restore mode and renaming the
GPO files physically located in SysVol -- very ugly and the
results are not entirely predictable, in fact you might even
end up doing the DCGPOFix anyway if you do this.
Oh, and the so-called 'admin' did not do this "accidently" but
on purpose -- the consequences may have been unintended but
the ACT itself was purposeful because such things do not
happen accidentally (there are too many steps).
Employees who do not understand the serious nature of changes
(they do not understand) to production systems are not (yet)
qualified to BE admins.
The real question is does this admin-wanna-be have enough
potential that he is worth further training or should he be
let go....?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- References:
- Re: Domain Controller Security Policy
- From: Herb Martin
- Re: Domain Controller Security Policy
- From: Jorge Silva
- Re: Domain Controller Security Policy
- From: Herb Martin
- Re: Domain Controller Security Policy
- Prev by Date: Re: Utility to show user's last logon/logoff time
- Next by Date: Re: Small remote sites setup
- Previous by thread: Re: Domain Controller Security Policy
- Next by thread: what value to specify as "Unique X.500 Object ID" for my custom attribute
- Index(es):
Relevant Pages
|
