# [SOLVED] Locked out of group policy



## cconner6156 (Feb 12, 2006)

Okay wel my friend was drunk one night and decided to lock himself out of the computer . His intentions was to lock out another account to the C: drive But he accidently locked himself out. Ive tried everything Logging in as administrator wont do it and i cant get into computer managment Because it give me an access denied. as well as the C: drive. any ideas?


----------



## Poyol (Nov 4, 2009)

*Re: Locked out of group policy*

Sounds like you're trying to bypass security here..
I'll let the mods solve this one.

Sorry!


----------



## jcgriff2 (Sep 30, 2007)

*Re: Locked out of group policy*

Boot into the recovery partition or boot with your Windows Vista DVD and perform a Windows System Restore.


----------



## cconner6156 (Feb 12, 2006)

*Re: Locked out of group policy*

I disbaled the system restore


----------



## jcgriff2 (Sep 30, 2007)

*Re: Locked out of group policy*

System Restore was the last hope here. 

The only option left is to use the Vista DVD or the recovery partition and re-install the Vista OS.

jcgriff2

.


----------



## cconner6156 (Feb 12, 2006)

*Re: Locked out of group policy*

is there any wy to get the data off?


----------



## Basementgeek (Feb 7, 2005)

*Re: Locked out of group policy*

Install the drive in another PC as a slave should do it.

BG


----------



## TheOutcaste (Mar 19, 2009)

*Re: Locked out of group policy*

Sounds like they set a Deny permission on the root of the C: drive.
This procedure can fix it if that is what was done.
I would recommend you first backup your data either using a Live CD to boot the system, or connect it to another system to copy your data off first.

*Live CDs:*
Ultimate Boot CD for Windows
BartPE CD/DVD
Ultimate Boot CD
Knoppix
Ubuntu
Puppy Linux
The first two require access to a Windows XP Disk
The Ultimate Boot CD does not include SATA drivers, so you'll need to be able to change the BIOS setting for the SATA controller to ATA instead of AHCI, or Compatibility mode instead of Enhanced (wording will vary)
Note: A Vista/Win7 DVD can also be used to recover files and make some repairs. A Vista RE disk can be downloaded from one of these links:
Vista Recovery Environment CD
64 bit Vista
32 bit Vista

Boot with the DVD
Select your language and click *Next*
Click *Repair your Computer*
After it scans for Windows installations click *Next* (Win7: Select Top option first)
Click *Command Prompt*.
You can use *Copy*, *Xcopy*, or *Robocopy* to copy files to an external drive, a different partition, or a different internal hard drive.

Once the data is safe, give this a whirl:

Is the *Administrator* account displayed on the Welcome screen?
If not, follow these steps to activate it:

Boot to Safe Mode and log in with the *Administrator* account if available.
If not, use any other Admin account.
Open a Command Prompt (Should say *Administrator* in the Title bar)
If not, open an Elevated Prompt by clicking *Start*, type *cmd*, when *cmd.exe* appears in the list, right click it and choose *Run as administrator*

type the following (there is a space between the different colors):
*Net User Administrator /active:yes*
You should see *The command completed successfully*

Reboot to Normal mode and log in with the *Administrator* account

If it's never been used before, it may take a minute as the profile is created.

Click on *Start*, type *regedit* in the Search box, press *Enter*
Navigate to this key:

```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
```
In the right pane, find *EnableLUA*
If it's not *0* (zero), double click and change it to *0*
You may get a pop up from the tray that UAC has been turned off, you can ignore it.
Collapse the tree back to *HKEY_LOCAL_MACHINE*
Right click on *HKEY_CLASSES_ROOT*, click *Permissions...*
Highlight *CREATOR OWNER*
Check *Full Control* under *Allow*
Highlight *SYSTEM*
Check *Full Control* under *Allow*
Highlight *Administrators*
Check *Full Control* under *Allow*
Highlight *Users*
Click *Remove*
If It Shows, Highlight Your *Username*
Click *Remove*
Click *OK*

Reboot the system, then Log into the *Administrator* account
Right click *Computer*, then click *Explore*
Right click the C: drive, click *Properties*.
Click the *Security* tab
Click the *Advanced* button
Click the *Owner* tab
Click the *Edit...* button
Highlight *Administrators*
Make sure the box for *Replace owner on subcontainers and objects* is _Unchecked_
Click *OK*, *OK* the Pop-up, then *OK* on the remaining property windows to close them
Right click the C: drive, click *Properties*.
Click the *Security* tab
Click the *Edit...* button
Highlight *Administrators*, and click *Full Control* under the *Allow* column
Check all other entries, and remove any *Deny* permissions.
*Default Groups/Allow Permissions*:

```
[B]Authenticated Users [COLOR=DarkRed]Special[/COLOR][/B]
[B]System              [COLOR=DarkRed]Full Control[/COLOR][/B]
[B]Administrators      [COLOR=DarkRed]Full Control[/COLOR][/B]
[B]Users               [COLOR=DarkRed]Read & execute[/COLOR]
                    [COLOR=DarkRed]List folder contents[/COLOR]
                    [COLOR=DarkRed]Read[/COLOR][/B]
```
Click *OK*, then click *Yes* on the Popup
You will get several error Popups, click *Continue* on all of them
Click *OK* on the Properties window.

Open a Command Prompt
Type the following two lines (there is a space between the different colors):
*CD /D C:\
icacls * /C /T /reset*

This will reset the default inherited permissions, but will not remove any Deny permissions that have been set on individual items. It's normal to see Access Denied messages, and some files will fail to be processed.
This should restore the ability to take ownership to remove any deny permissions that may be set on individual files/folders.

Close the Command Prompt when it finishes.
Start Regedit
Right click on *HKEY_CLASSES_ROOT*, click *Permissions...*
Click *Add...*, type *Users*, then click the *Check Names* button
Click *OK*
Click the *Advanced* button
Highlight *Users* and click the *Edit...* button
Check the following boxes under Allow:

Query Value
Enumerate Subkeys
Notify
Read Control
If you wish to re-enable the User Account Control (the Enable LUA value we changed earlier)
*Control Panel | User Accounts*
Click *Turn user Account Control On or Off*
Check the box and Click *OK*
(This does require a Reboot)

Reboot, log into the User Account and test.

Once everything is working, we need to restore *TrustedInstaller* as the owner of C:\
Right click *Computer*, then click *Explore*
Right click the C: drive, click *Properties*.
Click the *Security* tab
Click the *Advanced* button
Click the *Owner* tab
Click the *Edit...* button
Click the *Other users or groups...* button
Type in *NT SERVICE\TrustedInstaller*
Click the *Check Names* button
Click *OK*
Highlight *TrustedInstaller*
Make sure the box for *Replace owner on subcontainers and objects* is _Unchecked_
Click *OK*, *OK* the Pop-up, then *OK* on the remaining property windows to close them

To disable the Built-in Administrator account (Good idea):
Open a Command Prompt
type the following (there is a space between the different colors):
*Net User Administrator /active:no*
You should see *The command completed successfully*


----------



## cconner6156 (Feb 12, 2006)

*Re: Locked out of group policy*

Thank you so much ! That fixed it


----------



## TheOutcaste (Mar 19, 2009)

*Re: Locked out of group policy*

Good Job!:4-clap:

And you're Welcome!

If your issue has been resolved you can mark this thread Solved by using the Thread Tools at the Top Right of this thread (above the first post) :grin:

Jerry


----------



## Basementgeek (Feb 7, 2005)

*Re: Locked out of group policy*

TheOutcaste nice job. I will mark it solved.

BG


----------



## jcgriff2 (Sep 30, 2007)

*TheOutcaste * - excellent & outstanding work. THANK YOU.


----------



## TheOutcaste (Mar 19, 2009)

Basementgeek said:


> TheOutcaste nice job. I will mark it solved.
> 
> BG





jcgriff2 said:


> *TheOutcaste * - excellent & outstanding work. THANK YOU.


Basementgeek and jcgriff2 - Thank you, it's always nice to hear, and is definitely appreciated!

Jerry


----------

