Answered by:
HELP HELP on Site Group Policy screwup

Question
-
First off,
Please save the 'don't mess around with group policy stuff if you
don't know what you are doing' speeches until AFTER I get this fixed -
then feel free to kick me when i am down.
I was walking through some steps from the new Windows Steady State
handbook (page 55) about applying a group policy template
(stssettings.adm) that will restrict users settings. I was thinking
(incorrectly, obviously) that I could then selectively apply that
group policy to only the StudentLab computers.
unfortunately, it applied to ALL computers - couldn't log on, etc. I
deleted the template, but couldn't find where else to 'unapply' the
policy settings.I am using Windows Small Business Server 2003 R2 in a school setting.
NOW - It has even affected the MMC Snapins for server management while
logging in as administrator on the server itself. Error popup reads
"The snap-in below, referenced in this document, has been restricted
by policy. Contact your administrator for details. Small Business
Server information Center"
Even the Start menu on the server is restricted - I don't even have a
run menu to get to a command prompt?!?!?
HELP HELP, please! - how do I restore this and remove the group policy
settings??!?!
Thanks,
BrianFriday, September 21, 2007 4:48 PM
Answers
-
This happened to someone else not long ago. He contacted MS Tech support who had him delete the policies from SYSVOL on the Domain Controller. This is some thing I've never done before, so I can't say what the pros and cons of this type of fix is but I hope this gets you going in the right direction.
http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=2060683&SiteID=69
Saturday, September 22, 2007 3:36 PM -
Hi Brian,
Based on TommySj’s feedback in the above thread, JC’s direction should be correct.
However, if the domain user accounts cannot logon to your client computers, you may need to restore the changes through the method in the following thread:
http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1952148&SiteID=69
In addition, it is recommended to prevent administrators from applying the restriction template. You can refer to the following article:
315675 How To Keep Domain Group Policies from Applying to Administrator
http://support.microsoft.com/?id=315675
Best Regards,
Monday, September 24, 2007 9:51 AM
All replies
-
This happened to someone else not long ago. He contacted MS Tech support who had him delete the policies from SYSVOL on the Domain Controller. This is some thing I've never done before, so I can't say what the pros and cons of this type of fix is but I hope this gets you going in the right direction.
http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=2060683&SiteID=69
Saturday, September 22, 2007 3:36 PM -
Hi Brian,
Based on TommySj’s feedback in the above thread, JC’s direction should be correct.
However, if the domain user accounts cannot logon to your client computers, you may need to restore the changes through the method in the following thread:
http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1952148&SiteID=69
In addition, it is recommended to prevent administrators from applying the restriction template. You can refer to the following article:
315675 How To Keep Domain Group Policies from Applying to Administrator
http://support.microsoft.com/?id=315675
Best Regards,
Monday, September 24, 2007 9:51 AM