how to re-enable gpedit.msc

A while back I wrote about how stupid I was by locking myself out of Microsoft’s Group Policy Editor when I failed to specify it as one of the “Run only allowed Windows applications” in gpedit.msc

Well, I found my remedy today after almost doing the same thing again. This time, I was clever enough to remember to add “gpedit.msc” to the list of allowed applications, but I was still ignorant because I failed to connect to dots that are Microsoft in my head. You see, .msc files are snap-ins/templates for the Microsoft Management Console. See where I’m going yet? Listing “gpedit.msc” as an allowed app does you no good at all. To make this work, you need to allow “mmc.exe” which is the application called upon to open the given .msc file. Simple enough.

So anyway – now that I know the proper way to allow gpedit to run, how do I unlock these two computers I have now without resorting to reinstalling Windows? On one of the computers (a Windows 2000 machine), I had allowed cmd.exe aas well as the MS Office applications, so I fired up my command line and typed out this:

cd \WINNT\System32
copy mmc.exe winword.exe

Voila! I have MMC open now. Go through these steps to add the Group Policy snap-in to the interface:

  1. Click on File->Add/Remove Snap-in
  2. Click the “Add” button
  3. Select “Group Policy and click the OK button.
  4. Click “Finish”
  5. Click “Close”
  6. Click “OK”

Now correct those policies that you configure wrong you big goof!

The other PC, running Windows XP had ONLY Mozilla Thunderbird as the allowed app and this worked a charm:

cd \Windows\System32
copy mmc.exe thunderbird.exe

Then just repeat the above steps to add the snap-in and correct the necessary policies.

Hopefully this helps someone. Sure beats reinstalling Windows.