Note to my stupid-self and other Windows Sysadmins: When making use of the “Run only allowed Windows applications” Group Policy Object, be sure you include “gpedit.msc” as one of the allowed applications. For those in the know, you already know what that means. For those who don’t, well, it just means I’m an idiot. Basically, I locked myself out of the tool needed to lock down other aspects of the machine. Stupid, stupid, stupid.
[...] A while back I wrote about how stupid I was by locking myself out of Microsoft’s Group Policy Editor when I failed to specify it as one of the “Run only allowed Windows applications” in gpedit.msc [...]
Oooops… well live and learn… as long as you don’t do it again. GPEDIT.msc has some great tweaks in there to protect users from themselves. Good Luck !!
I did the very same thing last week – I was able to get a bit of wiggle room by renaming .exe’s that I wanted to open to the exact name I had specified for the one “Allowed” program on the list, which meant that any .exe can potentially be allowed as long as the name matches. Still couldn’t edit any registry keys to undo my damage, but it allowed me to get the PC in shape to run tests for a clinic and print results, which is all it was needed for. Now it’s just secure as hell…even against superadmins.
I’ve done this. Was there a work around besides formatting?