How to Undo a Windows 2000 Group Policy Lock Out

Last Update Nov 17 2003

Well, if you have accidentally locked yourself out of a Windows 2000 or Windows 2003 Server Group Policy, don’t worry, you can easily undo it! 

I have been using Windows 200x in production environments since 1998 and up until November 2003 never made the obvious mistake of going into the SECURITY TAB of a Group Policy, clicked ENTERPRISE ADMINS, FULL CONTROL, DENY… note very bright.  I should have simply clicked DENY for APPLY GROUP POLICY.  I knew I was stuck as soon as I clicked OK. 

Most of the following detail was taken from an excellent MS Newsgroup Posting so I will not take credit for it.

Use the DSACLS tool included in the Support Tools for Windows 2000 and Windows Server 2003 (which can be found on the Windows CD), to remove the Deny Access permissions from the Domain Administrators group. You must know the distinguished name (also known as DN) of the GPO to use this tool. Use the ADSIEdit.msc tool that is included in the Support Tools for  Windows 2000 and Windows Server 2003, to determine the distinguished name of the GPO in Active
Directory.

The examples below assume you want to reset the permissions for Domain Admins.  In my case I needed to correct Enterprise Admins, so I substituted the phrase Enterprise Admins for Domain Admins. Obviously, you can adjust this to fit your situation… just enter the exact name of the group you screwed over:

To reset permissions:

  1. Start ADSIEdit.msc on the PDC emulator. NOTE: To determine the PDC emulator operations masters role owner, right-click the domain name in the Active Directory Users and Computers snap-in, click Operations Masters, and then click the PDC tab.
     
  2. Under ADSIEdit, click Domain NC, and then locate the following container: container The right pane lists the global universal identification numbers (GUIDs) for all the GPOs in the domain.
     

                                               <Domain_Namecontainer\CN=System\CN=Policies

  3. Locate the policy that has been restricted, and then note the distinguished name of this object, for example:

           cn={f5e14b83-0181-437e-878c-8d16cb945d68},cn=policies,cn=system,dc=mybigdomain,dc=com

    NOTE: The restricted policy is displayed with a notepad icon; the other policies are displayed with folder icons.
     

  4. Use DSACLS to remove the Deny Access permissions that have been assigned to Domain Administrators group. Use the following syntax:

                           dsacls <distinguished_name/R “<domain_name>\domain admins”

    For example:

     dsaclscn={f5e14b83-0181-437e-878c-8d16cb945d68},cn=policies,cn=system,dc=mybigdomain,dc=com /R “mybigdomain\Domain Admins”
     

  5. Use DSACLS with the /g switch to grant access to the Domain Administrators group. Use the following syntax:

                        dsacls <distinguished_name/G “<domain_name>\domain admins”:GA
     

  6. On the PDC emulator, start Microsoft Windows Explorer, and then browse to the

                                            Winnt\Sysvol\Sysvol\<Domain_name>\Policies

    folder.  The GUID for the restricted GPO is listed in this folder.
     

  7. Right-click the GUID for the GPO, click Properties, click the Security tab, and then give the Domain Administrators group Full Control permissions.
     
  8. Check the subfolders under this GPO object to confirm that domain administrators also have rights to these folders.  After you complete this procedure, if you log on using a Domain Administrator account, you can open and edit this GPO.

For more information, please refer to the following articles:

294257 “Failed to Open the Group Policy Object”
http://support.microsoft.com/?id=294257

314203 How to Install the Windows Support Tools from a Command Prompt
http://support.microsoft.com/?id=314203

Questions or Comments?