Locked myself out of Group Policy Editor
I set 'only allow certain applications' restrictions and accidentally applied them across the board to all accounts. Now I'm restricted to only running a browser and can't run the group policy editor!
Is there a backdoor I can make use of?
Found a workaround that exploits an obvious hole in the 'restricted applications' feature of Group Policy. By simply renaming an executable to the filename of a trusted application, you can bypass the policy.
The workaround I arrived at is below (you would many similar/simpler variants of this to work; they doesn't). Hopefully this helps someone.
- Rename a copy of 'cmd.exe' to something permitted e.g. 'chrome.exe'
- Also rename a copy of 'mmc.exe'
- Use the now-functioning command-line to launch the management console
- From the management console, add the Group Policy snap-in
- Fix your careless mistake
The management console won't run from explorer once it's been renamed, so the command-line step is necessary.
I assume you have software restrictions in the User Configuration part of the policy. A few tips here:
1. Copy to another location If you have a restriction based on a path location, you can copy the file that is restricted (mmc.exe?) to another drive (or rename the file) and try running it from there.
2. Cached credentials If you have a computer or laptop where you have previously logged on to, unplug the network cable and logon with cached credentials (if allowed). When you are fully loggedon (you might want to wait for a few minutes) plug in the network cable again. Now you should be able to access the network, but the policies will not yet be applied, so you can access all programs.
3. delete registry keys All these policy restrictions are stored in the registry. As you are an administrator you have permissions to edit the registry, so you should find a way to edit it.
What you will do is go to the following registry key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Safer\CodeIdentifiers\0\paths and delete all keys under this key, leaving the key itself untouched.
If you are not able to start regedit.exe, you might be able to start the following programs:
%windir%\regedit.exe
%windir%\System32\regedt32.exe
%windir%\System32\reg.exe (commandline)
%windir%\SysWOW64\regedit.exe (64bit computer only)
%windir%\SysWOW64\regedt32.exe (64bit computeronly)
%windir%\SysWOW64\reg.exe (64bit computer only, commandline)
Otherwise try accessing the registry remotely.