[gptalk] Re: I can't access the GPO Editor because of a policy.

From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
To: <gptalk@xxxxxxxxxxxxx>
Date: Wed, 11 Jul 2007 10:44:44 -0700

You could also reboot and re-logon?that would trigger a foreground refresh
right away.

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Hernán Cano
Sent: Wednesday, July 11, 2007 10:37 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: I can't access the GPO Editor because of a policy.

Actually I can't open it (that would require to execute notepad.exe or any
other exe), but since I can access the gpt.ini file, I copied it to a usb
drive, modified it in my laptop, and then copied it back to the original pc.
Now all that's left is wait... *starts timer* 

On 7/11/07, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

Actually, now that I think about it, what you might have to also do is go
into c:\windows\system32\groupPolicy, open up the gpt.ini file and advance
the version number by 1. That will let the system know that there is a
change its need to pay attention to?otherwise it will probably just not even
bother next time through.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:
<mailto:gptalk-bounce@xxxxxxxxxxxxx>  gptalk-bounce@xxxxxxxxxxxxx] On Behalf
Of Darren Mar-Elia
Sent: Wednesday, July 11, 2007 10:18 AM

To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: I can't access the GPO Editor because of a policy.

Wow, you really screwed yourself up J . Well, what should happen anyway is
that after 90-120 minutes, policy will refresh on its own, find the
registry.pol file missing and promptly remove those settings. But you will
have to wait I think?

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:
<mailto:gptalk-bounce@xxxxxxxxxxxxx>  gptalk-bounce@xxxxxxxxxxxxx] On Behalf
Of Hernán Cano
Sent: Wednesday, July 11, 2007 9:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: I can't access the GPO Editor because of a policy.

I can't run the command from inside a windows user session because the
policy states that no application outside the "allowed windows applications"
can be run, so gpupdate.exe would not run. Actually there are no allowed
windows applications even tho I added a home made application and a mmc
console in the list. 

The policies currently applied are these:

Start Menu and Taskbar
- Remove user's folders from the Start Menu
- Remove links and access to Windows Update
- Remove common program groups from Start Menu 
- Remove My Documents icon from Start Menu
- Remove Documents menu from Start Menu
- Remove programs on Settings menu
- Remove Network Connections from Start Menu
- Remove Favorites menu from Start Menu
- Remove Search menu from Start Menu
- Remove Help menu from Start Menu
- Remove Run menu from Start Menu
- Remove My Pictures icon from Start Menu
- Remove My Music icon from Start Menu
- Remove My Network Places icon from Start Menu 
- Remove Drag-and-drop context menus on the Start Menu
- Prevent changes to Taskbar and Start Menu Settings
- Remove access to the context menus for the taskbar
- Lock the Taskbar
- Remove pinned programs list from the Start Menu 
- Remove frequent programs list from the Start Menu
- Remove All Programs list from the Start menu
- Do not display any custom toolbars in the taskbar
- Remove Set Program Access and Defaults from Start menu

Desktop
~ Active Desktop
    - Disable Active Desktop
- Hide and disable all items on the desktop
- Remove Properties from the My Documents context menu
- Prevent adding, dragging, dropping and closing the Taskbar's toolbars 
- Prohibit adjusting desktop toolbars
- Don't save settings at exit
- Remove the Desktop Cleanup Wizard

Control Panel
- Prohibit access to the Control Panel.

System
- Prevent access to the command prompt 
- Run only allowed Windows applications
- Turn off Autoplay
~ Internet Communication Management
    - Restrict Internet communication.
~ Ctrl+Alt+Del options
    - Remove Task Manager

On 7/11/07, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

Well, how about just Start Menu, Run, gpupdate /force ?

Or running a task from the Task Manager? Or creating a scheduled task that
runs gpupdate /force?

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:
<mailto:gptalk-bounce@xxxxxxxxxxxxx>  gptalk-bounce@xxxxxxxxxxxxx] On Behalf
Of Hernán Cano
Sent: Wednesday, July 11, 2007 8:55 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: I can't access the GPO Editor because of a policy.

Thanks for your reply.

Indeed, this is in the local GPO and it was implemented within the user
configuration side of the GPO, I do have access to My Computer, and was able
to rename registry.pol, but I'm having some trouble for accessing a command
prompt from inside Windows because it also is disabled by a policy. 

I tried from the "Safe Mode with Command Prompt" but it also uses a Windows
user session, so it also had the policies enabled.

I also tried from the Recovery Console from an installation CD but it didn't
work, since the list of available commands is limited. 

I'm currently trying to make a bootable USB device (since the computer
doesn't have a floppy disk drive) in order to execute gpupdate from there.
hopefully that will work.

Any other ideas?

H

On 7/10/07, Darren Mar-Elia < darren@xxxxxxxxxx <mailto:darren@xxxxxxxxxx> >
wrote:

Hernan-

I'm assuming this is on the local GPO? If so, and you implemented this
within the user configuration side of the GPO, try this. Go into
c:\windows\system32\grouppolicy\user and delete or rename the file called
registry.pol. Then from a command prompt, issue a gpupdate /force and that
should clear up the problem.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Hernán Cano
Sent: Tuesday, July 10, 2007 10:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] I can't access the GPO Editor because of a policy.

Hi!

I enabled the "Execute applications only from accepted application list"
policy, but only added the mmc console with the snap in for the GPO Editor,
but now I can't access it, so I can't remove that policy (or any other
policy since I can't open the editor). I'm guessing that I can't access the
console because mmc.exe isn't in the accepted application list :\

How can I disable this policy or remove the policies completely?

I tried in Safe Mode, but the policies were implemented too. :S

Thanks in advance for any info on this matter. :)

Follow-Ups:
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Hernán Cano
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Jakob H. Heidelberg

References:
- [gptalk] I can't access the GPO Editor because of a policy.
  - From: Hernán Cano
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Darren Mar-Elia
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Hernán Cano
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Darren Mar-Elia
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Hernán Cano
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Darren Mar-Elia
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Darren Mar-Elia
- [gptalk] Re: I can't access the GPO Editor because of a policy.
  - From: Hernán Cano

[gptalk] Re: I can't access the GPO Editor because of a policy.

Other related posts: