Fixing a Policied Machine

Overview | Fixing the Problem

Overview

Policies are a set of instructions that windows uses for user access and rights on machines on a network. These are used to 'lock' down computers so that users cannot access things that they shouldn't, and are also used to maintain a higher-security network. On our campus, these policies are used in the Potsdam domain, a Windows NT domain that stores all the usernames and passwords for all the faculty and students. When you log into the domain, there are a number of things that happen (not necessarily in this order, but close):

1. Your computer authenticates the username/password with the Primary Domain Controller (PDC, which is Zeus, in this case).
2. If your computer has the key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update\UpdateMode' set to '1', then it will look for policies (using the key 'NetworkPath' for where it looks), if it is set to '0' then it will not.
3. Assuming that it uses policies, it will update the policies from the Domain, and you will be forced to use the set of policies that now are merged into your computers registry. (really nice when you WANT it that way, but annoying when you don't)

Fixing the Problem

    If you find yourself in a situation where policies are enabled, run through the following steps in order to fix the situation:

... --- ...

If you cannot log in, or cannot access regedit.exe even when you do log in, then the machine has been policied, and you need to Restart into Safe Mode in order to fix it.

After rebooting into safe mode, you can access regedit. (Start Menu --> Run --> regedit.exe)

With Regedit opened, you now have full control over the computer (if you know what you are doing). The following keys must be edited in order to disable policies:

... --- ...

1.

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
  • Change the key 'UpdateMode' to be equal to '0'.
  • (to do this, just double click on the key, and when it opens up, change the '1' to '0')

• Delete the key 'NetworkPath'. This is the key that tells Update where to look for the policies, and will only cause problems if it is left there.

2.

• HKEY_LOCAL_MACHINE\Network\Logon
  • Change the key 'MustBeValidated' from '1' to '0'
  • (This will allow students/faculty to log into their computer even if it is OFF the network.... will cause problems if left there)

... --- ...

After you have edited the registry, you can just exit out of Regedit.exe (no need to save, editing is retroactive).

Now you must delete the user "profile" so that the existing user registries and user settings get deleted, without doing this step, the user will retain the same desktop and start menu off the network. (Start Menu --> Settings --> Control Panel --> Users) Highlight the user, and delete them.

Once you have done all this, you are ready to reboot. After rebooting you should be able to log into the Potsdam Domain with no difficulties, and NO POLICIES!

 

If there is anything that you think I have left out please email me at thern18@potsdam.edu