PDA

View Full Version : Help!! Win2000 lock out craziness



20-02-2002, 09:29 PM
Hiya,

I went real crazy using the MMC tool putting heaps and heaps of restrictions. Now, Im really stuck with, no rightclick,no access to hard drives,unable to logon in authormode even though Im an administrator!! Im denied everywhere I go even with heaps of rights too and I need to get back into mmc to change back everything!

Im unable to get into the registry!! Please someone help!This is crazy stuff

20-02-2002, 10:55 PM
Reinstall

20-02-2002, 11:01 PM
If it's still on a network you may be able to use the remote registry editor to undo some of the damage.

20-02-2002, 11:40 PM
Hi guys,

Don't really want to do that (re-install), as its pretty crucial that I to find a way to backup of my up-todate files. I can't do neither..!!!

Unfortunately, this ain't on a network. Just a Local Machine.

21-02-2002, 12:38 AM
Stevie

Try this:

Click start>run then enter C:\winnt\system32\compmgmt.msc /a in the Open text box. This might open the console in author mode to allow you to edit it.

If this doesn't work, do a search for *.msc files and see if you recognise any file name or date that could identify your customised file.

If you see a likely possibility note the filename and path, then go back to Start>Run & the Open Text box and try entering <mmc [path & filename].msc /a>, and the /a switch should open it with author privileges and allow you to edit it.

I'm no expert but this can't make matters worse, it will either work or leave you as is.

Moral of the story is that single computers don't need MMC restrictions!

Cheers

Billy 8-{)

21-02-2002, 08:59 AM
Hi Billy,

Thanks for your input, but sorry to say that theres NO run box.

21-02-2002, 09:44 PM
Hi Stevie,

Heres a Reg file which Im sure should do the trick. I keep this handy if Im also stuck.

(1)Copy all Info in between the lines
(2)Paste in Notepad
(3)Save with a .REG file extension.


Regfile in detail:
-----------------

*1stline should allow you to take some ownership of MMC, but you have to go to Console -Options - Apply- then change to 'UserMode Full Access.'
I have noticed that if you open up an existing MMC file, you will still be denied. Of all available snap-ins you can use any except for 'Group Policy' (which doesn't exist)

*2nd line should allow you to get back into the 'Registry'

*3rd line shoudl allow you to bring back the 'Run' Prompt.

*4th line should allow you to use the Command Prompt.

*Remaining lines +1st line should give you Eternal rights of MMC.

TIP:
====
Once your logged back on in MMC, right click 'Administrative Templates folder'under 'User Configuration' and choose 'View' then choose 'Show Configured Policies Only' option.

This will then expose all active current policies residing in your system. Also to note, because of the following registry changes; Regedit,Run,CommandPrompt you will have to disable them cause MMC will still think that these policies are still currently active.

[You may need to restart your computer before these will take affect.]


------------Cut & Paste --------------------------
REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC]
'RestrictAuthorMode'=dword:00000000
'RestrictToPermittedSnapins'=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
'DisableRegistryTools'=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
'NoRun'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System]
'DisableCMD'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {0F6B957D-509E-11D1-A7CC-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {0F6B957E-509E-11D1-A7CC-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {45ac8c63-23e2-11d1-a696-00c04fd58bc3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {5ADF5BF6-E452-11D1-945A-00C04FB984F9}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {942A8E4F-A261-11D1-A760-00C04FB9603F}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {BACF5C8A-A3C7-11D1-A760-00C04FB9603F}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {D70A2BEA-A63E-11D1-A7D4-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
'Restrict_Run'=dword:00000000

------------Cut & Paste --------------------------

I hope that by providing you with all this, that this is yours ALONE! Not someone elses computer so that you can overide their Administration policies intentionally!!

Justin

21-02-2002, 11:22 PM
UPDATE!!!!!!!!
------

Ive noticed that the regfile doesn't like the above when copied from this site because the formula becomes out of sync and you may experience that why it didnt work. So you may have to shift values if they move to another line.

Just use this reg file I have tested below from a complete lock-out of MMC with no-problems. At this point use the MMC tool to reverse your Regedit, Run features.

-----Cut& Paste-------------
REGEDIT4

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC]
'RestrictAuthorMode'=dword:00000000
'RestrictToPermittedSnapins'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {0F6B957D-509E-11D1-A7CC-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {0F6B957E-509E-11D1-A7CC-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {45ac8c63-23e2-11d1-a696-00c04fd58bc3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {5ADF5BF6-E452-11D1-945A-00C04FB984F9}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {942A8E4F-A261-11D1-A760-00C04FB9603F}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {BACF5C8A-A3C7-11D1-A760-00C04FB9603F}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {D70A2BEA-A63E-11D1-A7D4-0000F87571E3}]
'Restrict_Run'=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\ {FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
'Restrict_Run'=dword:00000000

-----Cut& Paste-------------

I sincerely appologise for the inconvinience.

22-02-2002, 12:35 AM
and thank for your help too Billy T :-)

cHeers

22-02-2002, 10:15 AM
Justin - you the man.

Stevie - learnt a lesson?

Old trick in any NT environment: Copy the administrator user as admin. Then copy to the user you will use more, then screw with access rights. Always leave administrators with full rights to everything, you can end up making some areas untouchable.

Do this before anything else, if administrator gets corrupted or password forgotten, you have a fallback.

Glad it worked in the end.

robo.