Getting around a Security GPO

Tutorials Win: Microsoft Windows Forum

Hi,

I was building a Domain Controller for my school and created a Security GPO
that restricted access which was meant for just the Students. I thought I
removed that Authenticated Users group prior to making all my settings, but
90 minutes later I was unable to open a Management Console I already created
and was receiving an error that I did not have permissions on the server to
create users home directories.

I had the GPO's serial number written down, so connected via a UNC from
another computer on the domain and drilled into SYSVOL > Domain Name >
Policies and removed the policy manually. When I rebooted the server I was
still unable to do anything. I ended up blowing out the box and rebuilding
it from scratch.

In the future, is there a tool or procedure for getting into AD without the
policies taking affect or something I can do from another system?

Thanks
Top

Re: Getting around a Security GPO by Meinolf

Meinolf
Fri Mar 28 14:24:56 PDT 2008

Hello aja44,

Authenticated users are ALL domain users, including the Administrator. So
you kicked out yourself. Please describe more in detail what you will achive
for the user, that we can find a solution for you. Normally no domain user
can login to a DC for example.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> I was building a Domain Controller for my school and created a
> Security GPO that restricted access which was meant for just the
> Students. I thought I removed that Authenticated Users group prior to
> making all my settings, but 90 minutes later I was unable to open a
> Management Console I already created and was receiving an error that I
> did not have permissions on the server to create users home
> directories.
>
> I had the GPO's serial number written down, so connected via a UNC
> from another computer on the domain and drilled into SYSVOL > Domain
> Name > Policies and removed the policy manually. When I rebooted the
> server I was still unable to do anything. I ended up blowing out the
> box and rebuilding it from scratch.
>
> In the future, is there a tool or procedure for getting into AD
> without the policies taking affect or something I can do from another
> system?
>
> Thanks
>


Top

Re: Getting around a Security GPO by aja44

aja44
Fri Mar 28 14:44:00 PDT 2008

I work in a school environment. The Security Policy is a combination of
restrictions to not allow the students to destroy the systems. For example,
no right click, hiding the root drive, disabling cmd.exe and not allowing
mstsc.exe to run to name a few. When you create a GPO, the Authenticated
Users group by default has the policy filtered. I usually will remove this
group and add the Security Groups I created for the students and apply the
GPO to just them. In this case, I must not have clicked OK and the changes
never took. So as the Administrator, I was able to logon locally to the
computer but was unable to perform anything. I was asking if there was a
tool or method that will disable all GPO's which would allow me to reboot the
server, logon and remove the policy. Or, why when I removed the GPO via the
UNC from another system and rebooted the DC it still was applying the
security settings.

"Meinolf Weber" wrote:

> Hello aja44,
>
> Authenticated users are ALL domain users, including the Administrator. So
> you kicked out yourself. Please describe more in detail what you will achive
> for the user, that we can find a solution for you. Normally no domain user
> can login to a DC for example.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi,
> >
> > I was building a Domain Controller for my school and created a
> > Security GPO that restricted access which was meant for just the
> > Students. I thought I removed that Authenticated Users group prior to
> > making all my settings, but 90 minutes later I was unable to open a
> > Management Console I already created and was receiving an error that I
> > did not have permissions on the server to create users home
> > directories.
> >
> > I had the GPO's serial number written down, so connected via a UNC
> > from another computer on the domain and drilled into SYSVOL > Domain
> > Name > Policies and removed the policy manually. When I rebooted the
> > server I was still unable to do anything. I ended up blowing out the
> > box and rebuilding it from scratch.
> >
> > In the future, is there a tool or procedure for getting into AD
> > without the policies taking affect or something I can do from another
> > system?
> >
> > Thanks
> >
>
>
>
Top

Re: Getting around a Security GPO by Florian

Florian
Fri Mar 28 16:56:33 PDT 2008

Howdie!

aja44 schrieb:
> I work in a school environment. The Security Policy is a combination of
> restrictions to not allow the students to destroy the systems. For example,
> no right click, hiding the root drive, disabling cmd.exe and not allowing
> mstsc.exe to run to name a few. When you create a GPO, the Authenticated
> Users group by default has the policy filtered. I usually will remove this
> group and add the Security Groups I created for the students and apply the
> GPO to just them. In this case, I must not have clicked OK and the changes
> never took. So as the Administrator, I was able to logon locally to the
> computer but was unable to perform anything. I was asking if there was a
> tool or method that will disable all GPO's which would allow me to reboot the
> server, logon and remove the policy. Or, why when I removed the GPO via the
> UNC from another system and rebooted the DC it still was applying the
> security settings.

Why not launch GPMC from another machine and undo/correct the changes
you made?

As long as you've configured those restrictions under "Administrative
Templates", the restrictions are reflected in the client's registry. So
if you get to know the registry keys and values that are set by your
policy (you can get the keys by looking up the settings in the
corresponding ADM template files in %systemroot%\inf), you could try to
fire up regedit and change the values back to a state that lets you
administer things.

You of course need to be fast, because as soon as the policies get
reprocessed during a background refresh, the restrictions kick back in.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Top

Re: Getting around a Security GPO by Don

Don
Sun Mar 30 05:41:53 PDT 2008

I have done very similar policies for several school districts. Here is
what I typically do. Always apply the policy to the student or workstation
OU. Do NOT apply it at the domain level. Then select the "deny apply"
permissions to the domain admins group.


--
Hope it helps!

dw

----------------------------------------------
Don Wilwol
www.atthedatacenter.com



"aja44" <aja44@discussions.microsoft.com> wrote in message
news:F0A01731-7666-4CA5-975D-6E550B43865A@microsoft.com...
>I work in a school environment. The Security Policy is a combination of
> restrictions to not allow the students to destroy the systems. For
> example,
> no right click, hiding the root drive, disabling cmd.exe and not allowing
> mstsc.exe to run to name a few. When you create a GPO, the Authenticated
> Users group by default has the policy filtered. I usually will remove
> this
> group and add the Security Groups I created for the students and apply the
> GPO to just them. In this case, I must not have clicked OK and the
> changes
> never took. So as the Administrator, I was able to logon locally to the
> computer but was unable to perform anything. I was asking if there was a
> tool or method that will disable all GPO's which would allow me to reboot
> the
> server, logon and remove the policy. Or, why when I removed the GPO via
> the
> UNC from another system and rebooted the DC it still was applying the
> security settings.
>
> "Meinolf Weber" wrote:
>
>> Hello aja44,
>>
>> Authenticated users are ALL domain users, including the Administrator. So
>> you kicked out yourself. Please describe more in detail what you will
>> achive
>> for the user, that we can find a solution for you. Normally no domain
>> user
>> can login to a DC for example.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>> > Hi,
>> >
>> > I was building a Domain Controller for my school and created a
>> > Security GPO that restricted access which was meant for just the
>> > Students. I thought I removed that Authenticated Users group prior to
>> > making all my settings, but 90 minutes later I was unable to open a
>> > Management Console I already created and was receiving an error that I
>> > did not have permissions on the server to create users home
>> > directories.
>> >
>> > I had the GPO's serial number written down, so connected via a UNC
>> > from another computer on the domain and drilled into SYSVOL > Domain
>> > Name > Policies and removed the policy manually. When I rebooted the
>> > server I was still unable to do anything. I ended up blowing out the
>> > box and rebuilding it from scratch.
>> >
>> > In the future, is there a tool or procedure for getting into AD
>> > without the policies taking affect or something I can do from another
>> > system?
>> >
>> > Thanks
>> >
>>
>>
>>


Top