Local Computer Policy - Ahhh

[JimCee]

I have been playing around with the Local Computer Policy on our DC and I have somewhat buggered things up.

I can't access any of my MMC's or Snapins, basically the result of my stupidness is I am locked out of all of my servers administration tools and can't do bugger all with it.

Does anyone know a way of resetting the Policy to its default settings?

When attempting to access a snap-in I receive the following error:

"The snapin below, referenced in this document has been restricted by policy. Contact your administrator for details.
<snapin name>"

I hope you can help!

Regards,

Jim

 

[mlichstein]

If you can get to c:\windows\security\database, you can either rename/delete the secedit.sdb file or copy one from another machine with the same OS.

 

[vbrocks]

Can you run mmc from another computer and connect to yours?

 

[vbrocks]

You can also try using the Run AS menu selection to run the mmc as an Enterprise Admin....

 

[lebonique]

I have a program given to me via a MS Support call that resets the poilcy back to it's original out-of-the-box state.

I can email to you if you want?

 

[JimCee]

Hi People, I'm still having no luck with this.

mlichstein - Tried your suggestion and it had no affect.

vbrocks - Same with your suggestion, still getting the error noted above.

lebonique - Yes please, use the following e-mail address:

jimDOTcorbettATdatacentre.co.uk

please DOT with . and AT with @.

Thanks for the help thus far!

Jim

 

[mlichstein]

Did you reboot after deleting/replacing the secedit.sdb file?

 

[JimCee]

Hi mlichstein,

Yes I did a reboot after deleting the SDB file. A new SECEDIT.SDB has been created but I am still locked out.

Any suggestions?

Yours,

Jim

 

[mlichstein]

Try the steps under resolution in this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;278316

 

[JimCee]

Hi mlichstein,

Followed those steps in the article. However when I try to add a snapin only the following are listed:

ActiveX Control
Folder
Link to web address

Jim

 

[mlichstein]

If this is a 2000 DC, you can try this:

Open a cmd prompt and do "cd \winnt\security\templates"

Then do:

secedit /configure /cfg "setup security.inf" /db ss.sdb /log ss.log /verbose

then:

secedit /configure /cfg basicdc.inf /db basicdc.sdb /log basicdc.log

Reboot

 

[JimCee]

Hi mlichstein,

Thanks for this. I tried:

secedit /configure /cfg "setup security.inf" /db ss.sdb /log ss.log /verbose

which worked, however the second line:

secedit /configure /cfg basicdc.inf /db basicdc.sdb /log basicdc.log

did not and the following error occurred:

"The data is invalid"

what do you think? do I have a corrupt template?

Jim

 

[mlichstein]

Follow this article to create the three environment variables (%SYSVOL% %DSDIT% and %DSLOG%), and then run the second secedit command again.

http://support.microsoft.com/?kbid=256000

 

[JimCee]

Hi mlichstein,

I can't believe this. I can't access the Properties of My Computer, they must be disabled by the Policy.

Is there a Config file or place in the Registry where I can add these environment variables manually?

Jim

 

[mlichstein]

You can try using the set command from the command prompt:

set SYSVOL=C:\winnt\SYSVOL
set DSDIT=C:\winnt\NTDS
set DSLOG=C:\winnt\NTDS

 

[vbrocks]

If you right click My Computer
Select properties
Click on the advanced tab
Click on the environement variables button
I think you can do it fom there

 

[mlichstein]

He doesn't have access to the properties of my computer.

 

[vbrocks]

Sorry about that......

Sometimes my mouth continues after my brain has stopped ....