locked
Disabling GPO Applied to Administrator's Account RRS feed

  • Question

  •  

    We have inadvertently applied a very restrictive GPO to our domain administrator's account.  The policy forbid just about everything including access to the comman prompt to run Regedit, access to the MMC, access to My Computer etc.  Now, we're stuck, unable to administer our server.  Does anyone know of a way the domain administrator can disable a GPO on the domain controller server?

     

    Thanks,

    Tuesday, January 29, 2008 9:58 PM

Answers

  • Hi,

     

    Thank you for posting here!

     

    It seems this is a general group policy configuration issue. As this forum focuses on SteadyState specific issues, this inquiry would best be posted to Windows Server public newsgroup:

     

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.general

     

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the newsgroups regularly can either share their knowledge or learn from your interaction with us.  Thank you for your understanding.

     

    Based on my research, you can refer to the following information:

     

    For local policy, you can rename the registry.pol under C:\windows\system32\GroupPolicy\User, and then log off log on to test.

     

    For domain policy, you may need to start the computer to Directory Services Restore Mode, and then delete related policy from C:\WINDOWS\SYSVOL\sysvol\<domain name>\Policies

     

    Some articles for your reference:

     

    315675 How To Keep Domain Group Policies from Applying to Administrator

    http://support.microsoft.com/?id=315675

     

    325351 HOW TO: Apply Local Policies to All Users Except Administrators on Windows Server 2003 in a Workgroup Setting

    http://support.microsoft.com/?id=325351

     

    Best Regards,

    Wednesday, January 30, 2008 5:06 AM

All replies

  • Hi,

     

    Thank you for posting here!

     

    It seems this is a general group policy configuration issue. As this forum focuses on SteadyState specific issues, this inquiry would best be posted to Windows Server public newsgroup:

     

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.general

     

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the newsgroups regularly can either share their knowledge or learn from your interaction with us.  Thank you for your understanding.

     

    Based on my research, you can refer to the following information:

     

    For local policy, you can rename the registry.pol under C:\windows\system32\GroupPolicy\User, and then log off log on to test.

     

    For domain policy, you may need to start the computer to Directory Services Restore Mode, and then delete related policy from C:\WINDOWS\SYSVOL\sysvol\<domain name>\Policies

     

    Some articles for your reference:

     

    315675 How To Keep Domain Group Policies from Applying to Administrator

    http://support.microsoft.com/?id=315675

     

    325351 HOW TO: Apply Local Policies to All Users Except Administrators on Windows Server 2003 in a Workgroup Setting

    http://support.microsoft.com/?id=325351

     

    Best Regards,

    Wednesday, January 30, 2008 5:06 AM
  • Shawn,

     

    Thank you very much!  Your advice solved the problem.  I was able to boot to Directory Services Restore Mode and then delete the domain policy.  I have control again over the server.  I really appreciate the tips and the articles.  Huge help!

     

    Thanks,

     

     

    Wednesday, January 30, 2008 4:16 PM