[gptalk] Re: Override GPO No Override?!

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 16 Aug 2006 11:15:29 -0700

Octai-
Thanks for that. That makes sense and is a common problem. So basically you
have some domain security policy that is still in effect on your workstation
and you can't override it by editing the local GPO. If you are an
administrator on the machine, then you should just be able to unjoin the
machine from the domain, logon as a local administrator and then edit the
local GPO to undo the security settings that were delivered from the domain.
Let me know if that does not work. 

Darren 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of octai.kelly@xxxxxxxxxxxx
Sent: Wednesday, August 16, 2006 9:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Override GPO No Override?!

Hi Darren,
Thank you kindly for your reply. Let me start by apologising for the
confusion. I will give you some background info so that you can get a better
idea about what is going on. 
I have been using a small network for a development lab for a consulting
business that I have been running for many years. I am the only one using
the servers and PC's on the internal domain which is isolated from the
Internet. I have recently moved continents for an opportunity which looks
like it will become a permanent job, meaning that I have had to close down
my network as well as the company. 
The servers are shut-down and stored out of range from where I am using a
notebook that used to be connected to the domain. I can logon locally with
Domain Admin or Built-in local Admin accounts.
The problem is that the effective rights are overriding any attempts to give
full permissions to the folders in question. I know that this is by design,
I guess I am hoping that there is a way to disconnect this machine from the
now defunct domain without a wipe and load. I have a feeling that I am just
putting off the inevitable!
Sincerely,
Octai
> 
> From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> Date: 2006/08/16 Wed AM 11:26:48 EST
> To: <gptalk@xxxxxxxxxxxxx>
> Subject: [gptalk] Re: Override GPO No Override?!
> 
> Well, no, you wouldn't be able to disable the enforced if you couldn't 
> access the domain, but in your original note, you didn't indicate that 
> you prevented yourself from logging on--just installing an update. If 
> you truly can't logon remotely or locally it will be tough to fix this 
> without a wipe and load.
> 
> Darren
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
> On Behalf Of octai.kelly@xxxxxxxxxxxx
> Sent: Wednesday, August 16, 2006 5:21 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Override GPO No Override?!
> 
> Thanks for your reply.
> Can I turn the Enforced setting off without having access to my 
> domain? What about leaving the domain and creating / joining a new
workgroup for now.
> Will that introduce other problems?
> I'm running Win2K SP4 on my notebook and the PDC back at the office is 
> running Windows Server 2003.
> Regards,
> Octai
> > 
> > From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> > Date: 2006/08/14 Mon AM 12:19:31 EST
> > To: <gptalk@xxxxxxxxxxxxx>
> > Subject: [gptalk] Re: Override GPO No Override?!
> > 
> > I guess I don't quite follow the scenario, but can you just turn off 
> > the Enforced setting on the Default Domain Policy and then set the 
> > Default DC Policy with the appropriate rights?
> > 
> > Darren
> > 
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx 
> > [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > On Behalf Of octai.kelly@xxxxxxxxxxxx
> > Sent: Sunday, August 13, 2006 4:00 AM
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Override GPO No Override?!
> > 
> > When I was setting up a development lab domain, I followed the 
> > suggested practice of tightening up security on my DC by setting the 
> > "No
> Override"
> > default domain policy option. However, now I am away from the dev 
> > lab with no way to connect to the domain, trying to install Windows 
> > Installer
> 3.1.
> > This uses an app called Update.exe which requires specific user 
> > rights such as backing up files. The effective policy is preventing 
> > me from
> proceeding.
> > I think a clean install may be the only way around this, but I don't 
> > want to attempt this on the road. Is there any way that I could get 
> > around this to install these applications?
> > Thanks in advance,
> > Octai
> > 
> > ***********************
> > You can unsubscribe from gptalk by sending email to 
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field 
> > OR by logging into the freelists.org Web interface. Archives for the 
> > list are available at http://www.freelists.org/archives/gptalk/
> > ************************
> > 
> > ***********************
> > You can unsubscribe from gptalk by sending email to 
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field 
> > OR by logging into the freelists.org Web interface. Archives for the 
> > list are available at http://www.freelists.org/archives/gptalk/
> > ************************
> > 
> 
> ***********************
> You can unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field 
> OR by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field 
> OR by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************
> 

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: