Locked myself out of Group Policy Editor

windows-7 group-policy

I set 'only allow certain applications' restrictions and accidentally applied them across the board to all accounts. Now I'm restricted to only running a browser and can't run the group policy editor!

Is there a backdoor I can make use of?


Found a workaround that exploits an obvious hole in the 'restricted applications' feature of Group Policy. By simply renaming an executable to the filename of a trusted application, you can bypass the policy.

The workaround I arrived at is below (you would many similar/simpler variants of this to work; they doesn't). Hopefully this helps someone.

  1. Rename a copy of 'cmd.exe' to something permitted e.g. 'chrome.exe'
  2. Also rename a copy of 'mmc.exe'
  3. Use the now-functioning command-line to launch the management console
  4. From the management console, add the Group Policy snap-in
  5. Fix your careless mistake

The management console won't run from explorer once it's been renamed, so the command-line step is necessary.


I assume you have software restrictions in the User Configuration part of the policy. A few tips here:

1. Copy to another location If you have a restriction based on a path location, you can copy the file that is restricted (mmc.exe?) to another drive (or rename the file) and try running it from there.

2. Cached credentials If you have a computer or laptop where you have previously logged on to, unplug the network cable and logon with cached credentials (if allowed). When you are fully loggedon (you might want to wait for a few minutes) plug in the network cable again. Now you should be able to access the network, but the policies will not yet be applied, so you can access all programs.

3. delete registry keys All these policy restrictions are stored in the registry. As you are an administrator you have permissions to edit the registry, so you should find a way to edit it.

What you will do is go to the following registry key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Safer\CodeIdentifiers\0\paths and delete all keys under this key, leaving the key itself untouched.

If you are not able to start regedit.exe, you might be able to start the following programs:

%windir%\regedit.exe

%windir%\System32\regedt32.exe

%windir%\System32\reg.exe (commandline)

%windir%\SysWOW64\regedit.exe (64bit computer only) 

%windir%\SysWOW64\regedt32.exe (64bit computeronly) 

%windir%\SysWOW64\reg.exe (64bit computer only, commandline)

Otherwise try accessing the registry remotely.

Related

Connect to guest from host - Virtual Box [closed]
Strongswan (IKEv2) connection established, but no traffic routing
Active Directory Licensing [duplicate]
FreeNAS, Do I need 1GB per TB of usable storage, or 1GB of memory per TB of physical disc?
How do Windows domain clients behave if the domain controller is offline?
What can cause ALL services on a server to go down, yet still responding to ping? and how to figure out
What do you call the main component of a computer system?
Best way to add a DNS wildcard record for a domain
Can I setup an MX record for a particular user email address?
How is the /altbootbank/ partition used in ESXi?
Why is Google rejecting mails forwarded from my Postfix server?
Configuration of Server root email - Change Address and Name on outgoing email