3

I was implementing some restrictions for users to be able to access some applications only in a Windows 2012 server. I ended up restricting any kind of access to any application on the server. I am assigned as an administrator to the box but I am not able to revert the changes. I get the error "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator" when i try to open any application inside the box.

What do i do about it?

Vijay
  • 41
  • 1
  • 3
  • 1
    So you can no longer access regedit or cmd? – colbyt Sep 28 '16 at 21:48
  • What exactly were you doing? Software restriction policies, Applocker, something else? The details matter. Was this machine part of a domain? Or is this a standalone system? – Zoredache Sep 29 '16 at 00:10

2 Answers2

4

  1. Easy. Restore your test machine to starting state and try again with your GPO but with only a smaller number of well researched changes at a time.

    Oh, you are experimenting on your production network? First lesson, ALWAYS experiment and test off the production network. VMs are your friend.

  2. Almost as easy. Restore from your system state backup.

    Oh, you didn't make one. Next lesson, always make a backup.

  3. So now you need to reverse a change. Implement your rollback plan.

    Oh, you don't have one. Third lesson, plan, develop, and test your rollback plan as you test your changes.

  4. Now you're in recovery mode and hoping nobody notices. Doesn't feel good eh?

    • You need to keep the group policies you added as a reference. Disable this group policy.

    • Log onto another machine and build a group policy which explicitly allows everything you denied.

    • If there are any policies which do not have an explicit allow, the new group policy should at least set it 'undefined'.

    • Apply this group policy.

    • Any policies which did not offer an explicit 'allow' will need to be reversed manually.

This sort of experimentation belongs on a test machine on a network that is not connected to your main network. As you're developing and testing, plan and test your rollback plan as well. Once you've tested the GPO you want to apply, don't forget to back up the system state of the production server before applying the new policy. And try to roll out in stages, since such policies often have unintended consequences, and each server is different. System state backups will save your bacon, as will testing and staged rollouts.

As you have learned GPOs are very powerful, and sometimes tricky to reverse.

Jeter-work
  • 845
  • 4
  • 15
  • Hi let me try this and let you know. And I had done this on a lab/test box. It is fortunately not business critical. – Vijay Sep 29 '16 at 12:58
  • Good luck. Let your lessons learned inform your future projects. – Jeter-work Sep 29 '16 at 13:24
  • Hi I got it figured out. I was able to remote into the server from my laptop with admin access and go in and alter the settings back. – Vijay Sep 29 '16 at 21:08
  • Good. You should consider marking this answered so it no longer appears on the unanswered list. – Jeter-work Sep 29 '16 at 21:38
1

I was able to remote into the server from my laptop with admin access and go in and make the changes again to revert the original changes.

Vijay
  • 41
  • 1
  • 3