Local admin account permissions issue and local group policy issue.

Got a local admin account where this has been set

http://img26.imageshack.us/img26/5716/18112010133154.png

Which I believe is preventing the admin account from removing or installing devices.  This is causing an issue.  Looks like it's AD GP as is greyed out and I can't add to it locally.  The network team claim there are no AD GPs to limit the local admin account that they know of.

Also, I'm trying to use Process Monitor on the machine but that needs admin rights and it keeps saying that the local admin account isn't a member of the admin group, but it is.

Any ideas?  Even if it's just fixing he Process Monitor bit?

And looking at the picture can anyone explain what the icon means next to Load and Unload device drivers.  It's different from the others and think this is related, maybe trying to tell me it's a AD group policy.

I've spoken to networks, they said there are not AD GP's set for this.  I've used the local admin account to create a new local admin account and put it in the administrators group.  Logged into it and it also has the same issue.

Any ideas?
 

Question Info


Last updated November 9, 2018 Views 6,069 Applies to:
Answer
Answer

We'll probably never know as I fixed it all before I read your new reply :) this is how it all went.  Might look odd but it's because I posted this fix on another forum I post at and can't be bothered to type it all again so just lifted it from there.  May be of some help to others.

-------------------------------

Took all day from 8am to 4pm but did it :) gives you a buzz when you solved something like this, that had me  :scratch: all day.

Right.  First problem (that ended up not needed in end) was to fix the GPEDIT issue, why wasn't Administrators in there.  I think the GP was buggered, so asking over at Technet forums I got told about the secedit command (which I'm sure I've heard of before but long forgot).  Got given this link

http://support.microsoft.com/kb/313222

Being on XP I ran this on the machine at a CMD

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Did what it had to do.  Checked gpedit again and sure enough the Administrators group was back in the place it should be in the image in first post.  But it was all still greyed out, but never mind as admin account was now able to remove devices.  Also got told the icon means it's locked by Group Policy and can't be edited.  The blue 1's and 0's means it's not locked and can be edited.

So, now, why wasn't Process Monitor still working?  It was still saying Admin wasn't in the Admin group but it was.  On Technet they later said the Admin has to be in the debug group as well for Process Monitor to run, but I'd fixed it before then, so not sure if that was the issue.

Anyway.  To fix the admin account permissions I used Trinity Rescue Kit

http://trinityhome.org/Home/index.php?wpid=1&front_id=12

Booted up from that, ran

winpass

To allow you to reset a local account, unlock or up it's privileges.  I choose to up the admin accounts privileges as it was saying the admin account only had Normal rights.

Booted into Windows and result, Process Monitor was now able to run :)

However, the hanging issue (not sure if I mentioned that) was still a problem.  I then used msconfig (which ain't great) but it's easy with that to hide all the Microsoft processes so that you can then disable all other, 3rd party ones.  Did that and rebooted.  No more hanging.  Then had to re-enable them one by one till the hanging started again.

What was it?

Our Helpdesk software.  It had two processes running as services at start-up and they were causing the hang.  I'm about to look through the Process Monitor logs of it working and then not working.  To see if what I suspect to be happening is happening.  That is, now the PC is on a new domain, these two services are trying to talk or doing something with the old domain and can't.  Causing explorer to then hang as they maybe just get stuck in a loop.

Was a good feeling when it was all fixed and I had drilled it down to the exact two things causing the issue.

Now it geekness I'm off to look through the process monitor logs.

-----------------------

Also, to get round the fact they'd forgotten the local admin password, I used Kon-Boot

 

Forgot to mention that once I put the PC back on the domain the gpedit entry was no longer greyed out.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Answer
Answer

The symbol you refer to indicates that setting has been locked by group policy and is not changeable.  When I've seen this in the past, the only way I've been able to override it is by using "secedit".  For more info on this command:
      Start -> Help and Support ->  Search: Secedit

An "Elephant Gun" approach might also work:

"How do I restore security settings to the default settings?"
  < http://support.microsoft.com/kb/313222 >

HTH,
  JW

 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.