Re: Group Policy is now inhibiting the Administrator account

---

• From: "Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx>
• Date: Thu, 31 Aug 2006 15:29:18 -0500

---

Your idea to use rsop.msc did the trick.. Eventually found that a policy to
have the administrator account change the name was set to Recommended. I
thougtht it was a good idea -- and also thought it applied just to XP boxes,
so I did it. For some reason, the Admin account properties had REcommended
listed as the logon name. Set it back to the correct name and I got in and
was able to clean up what I'd done.

I now have the idea that the Microsoft doc's, tools and templates I
downloaded for security ought not to be used, that there may be a guide out
there for hardening SBS servers that I should refer to instead. Any advice?

Mike

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uDmC7QTzGHA.4116@xxxxxxxxxxxxxxxxxxxxxxx

By default, "Deny log on locally" is set for the security group "SBS
Remote Operators." That group also includes the group "Domain Power
Users." So the first thing to do is to look in AD and see if your
Administrator account is a member of either of those groups. If so,
remove the admin account from the security group and you should be good to
go.

Failing that, log on to the server with your own account. Click Start ->
Run and type in "rsop.msc" without the quotes. This will bring up a
"resultant set of policy" telling you all the policies that are applied to
the server. When you find the one that's keeping the administrator
account from logging in locally, it'll tell you which GPO contains the
policy so you can edit it.

For next time, you can back up your GPOs in the Group Policy Management
Console by right-clicking Group Policy Objects and choosing Back Up All.
The other thing is, I recommend never editing a built-in or SBS-created
policy. Create a new GPO for the specific purpose you're addressing, such
as "MS Office Settings Policy" or "Mike's Tighter Security Policy." That
way, if something unexpected happens, you can just turn off that policy
while you resolve it. You do this by r-clicking the OU you want the
policy to apply to and choosing "create and link a new policy here" (or
similar-named option).


"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OpB1s5SzGHA.4092@xxxxxxxxxxxxxxxxxxxxxxx

Running SBS 2003 Premium with 2 NIC's, a router, and WSUS installed and
running.
===========================================
Got some down time today so decided to go through some Microsoft products
to tighten security. I started with Windows XP Security Guide Tools and
Templates; I opened the document "Windows XP Security Guide.doc" and
started from the top. I followed most of the guidance, omitted those I
don't need/want for our LAN, but when I got about 2/3's of the way down
(I'd open the doc on the top half of the monitor and GP Management &
Editor on the bottom half so I could change things as I went.), I was
trying to get to the GP Editor, but got an info window telling me that
permission was denied.
I was remoted into the server at the time, so I logged off and went down
to the server room and got on. Right away I found that I couldn't (using
the Administrator account) edit anything in GP Editor - seems I didn't
have sufficient permissions. I logged off and logged on as myself and
could edit just fine. I tried to undo everything, but Editor tells me
that the items are Not Defined, but the Management console shows the
items as defined.

I'm outta my league. Is there (I hope!) a way to re-set the GP's to the
default, out-of-the-box, settings so I can start over (and very slowly)?

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization

.

---

• Follow-Ups:
  • Re: Group Policy is now inhibiting the Administrator account
    • From: Dave Nickason [SBS MVP]

• Prev by Date: Re: Backup Domain Controller running W2k3 R2
• Next by Date: Re: Deleting Files and the Recycle Bin
• Previous by thread: Re: Backup Domain Controller running W2k3 R2
• Next by thread: Re: Group Policy is now inhibiting the Administrator account
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: RWW and Remote desktop stopped working on all clients ... After diggin through ALL the group policies, I found Remote ... Desktop DISABLED under the Account Lockout policy - I don't think I've even ... adminsitrator or another account with Domain Admin role; also the server ... (microsoft.public.windows.server.sbs) Re: Terminal Server logon problem ... I upgraded our current SBS 2003 box to new hardware using SBSMigration.com's ... When it was time to bring the old SBS server offiline and make ... I am getting a group policy error - You do not have permissions to ... The only thing I thought I changed was taking the administrators account ... (microsoft.public.windows.server.general) Re: Restrict to 1 program ... I would *not* apply the policy to the whole domain. ... Terminal Server computer account in this OU and link the policy to ... Configuration settings from the GPO linked to OU where the computer ... (microsoft.public.windows.terminal_services) Re: Terminal Server logon problem ... You had a server that was upgraded to SBS 2003? ... I am getting a group policy error - You do not have permissions to perform ... The only thing I thought I changed was taking the administrators account out ... make the user a member of the Remote Desktop ... (microsoft.public.windows.server.general) account lockout issues... ... I have a couple of question regarding the account lockout policy. ... I had originally set a local policy on our Win2K terminal server such ... (microsoft.public.backoffice.smallbiz2000)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)