none
windows 2003 group policy

    Question

  • I am recieving error message from all network systems that " This operation has been cancelled due to restrictions in effect on this computer, please contact your system administrator". Actually the Group policy from User Configuration/Administrative Template/System "Run only the allowed Windows applications" (*.*) has been applied on to the domain. Now not a single user able to open a program all the netwrok is leterally down. Even admin previleges user cant open a program and neither can modify the group policy since active directory users and computers can not open too.
    Please help.  
    Wednesday, August 26, 2009 3:03 AM

Answers

  • Are you Administrator of the Domain? If so, try to Disable the GPO. Check the link below;

    http://www.windowsnetworking.com/img/upl/Optimizing%20Group%20Policy%20Performance%20Figure%2011117023195636.jpg

    Set All Settings Disable and then after that in DC > Start > Run > Cmd > gpupdate /force

    Reboot the client machine and test again.
    Thiago Pereira | http://thiagoinfrat.spaces.live.com | http://www.winsec.org
    • Marked as answer by Wilson Jia Thursday, August 27, 2009 1:41 AM
    Wednesday, August 26, 2009 4:00 AM
  • Howdie!

    If I remember correctly, this setting is stored in Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, "RestrictRun". If you manage to delete the key or set it to 0, you should be able to access your management tools (ADUC, GPMC) to undo the policy for all machines.

    Can you access one machine's registry either locally or remotely using regedit and delete the key? If so, you need to re-configure RestrictRun (setting it to 0 should be okay) and logoff and re-login. After that, you should be able to launch GPMC.

    Cheers,
    Florian
    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    • Marked as answer by Wilson Jia Thursday, August 27, 2009 1:41 AM
    Wednesday, August 26, 2009 8:06 AM
  • Dear Thiago / Florian,

    Thanks for your prompt support, the issue has been solved after restarting the DC(amazing). Before it was not giving access to open any program even ADUC, now I can access to ADUC so I diabled the policy and everthing is back to normal.
    I have a little problem on the group policy that long back I enabled "Prohibit access to TCP/IP advance configuration" on the whole domain and in turn even administrator cant open the TCP/IP sttings, clock, copying any files on C or D drive (except in My Documents). Due to this problem I disabled the policy even I removed link & object permanatly but still the policy is in effect and I cannot do the above mentioned operations. 
    If you have any idea please let me know how to enable the default policy.

    Once again thanks for your support.

    Regards,        
    • Marked as answer by Wilson Jia Thursday, August 27, 2009 1:41 AM
    Wednesday, August 26, 2009 12:00 PM

All replies

  • Are you Administrator of the Domain? If so, try to Disable the GPO. Check the link below;

    http://www.windowsnetworking.com/img/upl/Optimizing%20Group%20Policy%20Performance%20Figure%2011117023195636.jpg

    Set All Settings Disable and then after that in DC > Start > Run > Cmd > gpupdate /force

    Reboot the client machine and test again.
    Thiago Pereira | http://thiagoinfrat.spaces.live.com | http://www.winsec.org
    • Marked as answer by Wilson Jia Thursday, August 27, 2009 1:41 AM
    Wednesday, August 26, 2009 4:00 AM
  • Howdie!

    If I remember correctly, this setting is stored in Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, "RestrictRun". If you manage to delete the key or set it to 0, you should be able to access your management tools (ADUC, GPMC) to undo the policy for all machines.

    Can you access one machine's registry either locally or remotely using regedit and delete the key? If so, you need to re-configure RestrictRun (setting it to 0 should be okay) and logoff and re-login. After that, you should be able to launch GPMC.

    Cheers,
    Florian
    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    • Marked as answer by Wilson Jia Thursday, August 27, 2009 1:41 AM
    Wednesday, August 26, 2009 8:06 AM
  • Dear Thiago / Florian,

    Thanks for your prompt support, the issue has been solved after restarting the DC(amazing). Before it was not giving access to open any program even ADUC, now I can access to ADUC so I diabled the policy and everthing is back to normal.
    I have a little problem on the group policy that long back I enabled "Prohibit access to TCP/IP advance configuration" on the whole domain and in turn even administrator cant open the TCP/IP sttings, clock, copying any files on C or D drive (except in My Documents). Due to this problem I disabled the policy even I removed link & object permanatly but still the policy is in effect and I cannot do the above mentioned operations. 
    If you have any idea please let me know how to enable the default policy.

    Once again thanks for your support.

    Regards,        
    • Marked as answer by Wilson Jia Thursday, August 27, 2009 1:41 AM
    Wednesday, August 26, 2009 12:00 PM
  • Try using an existing GPO (or creating a new one) with this setting explicitly disabled and force the refresh of the policy on your clients...

    hth
    Marcin

    Wednesday, August 26, 2009 12:04 PM