How to fix GPO Windows Server 2019

dARRENT9823 0 Reputation points
2023-09-05T19:41:20.3433333+00:00

Good evening! Created a Windows Server 2019 virtual machine in Hyper-V. Created a domain and configured policies (GPO). Unfortunately, there must have been a bug: I configured these 4 parameters:

Deny access to this computer from the network

Deny log on through Remote Desktop Services

Deny log on as a batch job

Deny log on as a service

specifying the administrators group, and after a reboot it does not allow me to log in. Please tell me what can be done? I tried a lot of things: I connected a virtual disk, deleted parameters in the GPO files in it - it did not help. I wrote the virtual machine to the hard disk, logged in, fixed it, moved it back to the virtual disk - it did not help.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,384 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,053 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Mason Wheare 70 Reputation points
    2023-09-06T03:44:14.3433333+00:00

    It sounds like you've encountered a situation where you've applied Group Policy Objects (GPOs) that have restricted access to the Windows Server 2019 virtual machine, including denying access for administrators. Since you're unable to log in to the server to make changes, you'll need to perform some recovery steps to regain access. Here's a general guide on how to fix this issue:

    Important: Before proceeding, make sure you have a backup of your virtual machine in case anything goes wrong during the recovery process.

    1. Access Safe Mode:
      • Shut down your Windows Server 2019 virtual machine.
      • Start the virtual machine and immediately press the F8 key repeatedly. This should bring up the "Advanced Boot Options" menu.
      • Select "Safe Mode with Networking" from the menu and press Enter. Safe Mode allows you to log in with a minimal set of drivers and services.
    2. Log In to Safe Mode:
      • In Safe Mode, try logging in using the local Administrator account. This account is usually not affected by GPO restrictions.
      • If you don't know the local Administrator password, you might need to use a password recovery tool or reset it through Hyper-V or other means.
    3. Edit Group Policy:
      • Once logged in, open the Group Policy Management Console (gpedit.msc) or Local Security Policy (secpol.msc) depending on the GPO you want to edit.
      • Navigate to the GPO settings that you believe caused the issue: "Deny access to this computer from the network," "Deny log on through Remote Desktop Services," etc.
      • Remove the administrators group or any other groups/users you want to allow access.
    4. Update Group Policy:
      • Open a Command Prompt as an administrator.
      • Run the command gpupdate /force to force an immediate update of group policies.
    5. Reboot the Server:
      • Exit Safe Mode and reboot the server normally.
    6. Test Login:
      • After the server restarts, try logging in using your administrators' credentials. You should now be able to log in without any restrictions.
    7. Revert the GPO Changes (Optional):
      • If you need to reapply some of the GPO settings, do so cautiously, making sure not to restrict administrative access again.

    Remember, working with Group Policy can be powerful but also carries risks, as you've experienced. Always thoroughly test GPO changes in a lab or on non-production systems before applying them in a production environment. Additionally, have a solid backup and recovery plan in place to handle unexpected situations like this.


  2. Daisy Zhou 23,426 Reputation points Microsoft Vendor
    2023-09-06T08:44:15.4333333+00:00

    Hello

    I'm glad to be able to answer this question for you, and I hope it helps.

    If you are unable to log in to your Windows Server 2019 virtual machine due to the misconfigured Group Policy settings, there are several steps you can take to regain access:

    1.Use Safe Mode: Restart the virtual machine and boot into Safe Mode. This will bypass some Group Policy settings and allow you to log in with administrative credentials. From there, you can modify or remove the problematic Group Policy settings.

    2.Offline Group Policy Editing: Mount the virtual machine's hard disk on another Windows machine and edit the Group Policy settings offline. Follow these steps:

    a. Create a backup of the virtual machine's VHD/VHDX file.

    b. Attach the VHD/VHDX file to another Windows machine.

    c. Open the Group Policy Object Editor (gpedit.msc) and load the virtual machine's registry hive (File -> Load Hive).

    d. Navigate to the appropriate Registry key corresponding to the Group Policy settings you need to modify (HKLM\Software\Policies or HKLM\Software\Microsoft\Windows\CurrentVersion\Policies).

    e. Make the necessary changes to disable or remove the Deny settings for the administrators group.

    f. Unload the virtual machine's registry hive (File -> Unload Hive) and detach the VHD/VHDX file.

    g. Reattach the modified VHD/VHDX file to the virtual machine and start it.

    3.Reset Local Group Policy Settings: If the Group Policy settings are only applied at the local level and not from an Active Directory domain, you can reset the local Group Policy settings. To do this:

    a. Boot the virtual machine from installation media (e.g., Windows Server 2019 ISO).

    b. Select the language and keyboard layout preferences, then click "Next."

    c. On the next screen, click "Repair your computer" in the bottom left corner.

    d. Choose "Troubleshoot" -> "Advanced options" -> "Command Prompt."

    e. In the Command Prompt, enter the following commands:

    move C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\System32\GroupPolicy\Machine\Registry.pol.bak

    move C:\Windows\System32\GroupPolicy\User\Registry.pol C:\Windows\System32\GroupPolicy\User\Registry.pol.bak

    f. Restart the virtual machine and try to log in again.

    Note: please back up your full OS or system status before you make any changes.

    Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.