Many Windows tweaks and settings (including those described on this site) involve changing local group policy settings or security policies using the appropriate editor (present in professional and enterprise versions of the OS and in Windows 7 Ultimate), the registry editor, or, sometimes, third-party programs . In some cases, you may need to reset local group policy settings to default settings - as a rule, the need arises when some system function cannot be enabled or disabled in another way or it is impossible to change any settings (in Windows 10, you can see message indicating that some settings are controlled by an administrator or organization).
This guide details ways to reset local group policies and security policies in Windows 10, 8 and Windows 7 in various ways.
Reset using Local Group Policy Editor
The first way to reset is to use the local group policy editor built into Windows versions Pro, Enterprise or Ultimate (not available in Home).
The steps will look like this
- Launch the Local Group Policy Editor by pressing Win+R on your keyboard, typing gpedit.msc and pressing Enter.
- Expand the “Computer Configuration” - “Administrative Templates” section and select “All Settings”. Sort by the Status column.
- For all parameters whose status value is different from “Not set”, double-click on the parameter and set the value to “Not set”.
- Check if there are policies with specified values (enabled or disabled) in a similar subsection, but in “User Configuration”. If there is, change it to “Not specified”.
Done - the settings of all local policies have been changed to those that are set by default in Windows (they are not set).
Trick 4. Binary planting
The GPdisable utility consists of two files:
gpdisable.exe - injects DLL into the process;
gpdisable.dll is a special DLL for bypassing SRP.
As I said, if we can run the application, we can easily bypass SRP and other policies (via GPdisable, bpmtk, GPCul8or - doesn't matter). However, it may not be that easy to run these applications on a real system. But we can load DLLs (including gpdisable.dll). There is an important nuance here. Group policies can also check DLLs when starting software, but this will significantly reduce system performance, so this option is disabled by default. And we can use it! A recent study from Across Security, which talks about new (rather perverted, but working) methods for loading code into processes, comes in very handy. The technique is called Binary planting (and its classic example is dll hijacking), while studying it, the thought arose: “why not use it to bypass group policies ?” If the system allows the launch of applications only from the white list (even if only Word), then this is already enough to load our useful DLL to bypass SRP. So, let's try to cross dll hijacking from the guys from Across and GPdisable:
Rename gpdisable.dll to ehTrace.dll.
Create a folder named cookie. <2E095DD0-AF56-47E4-A099-EAC038DECC24>(any name, text after the dot will disappear).
Drop ehTrace.dll into the newly created folder.
We go to the folder and create any document there in Word, Excel or, for example, PDF.
Now open the newly created file.
The corresponding program should start. And run it together with the loaded DLL!
That's it, politicians are not scary to us.
How to reset local security policies in Windows 10, 8 and Windows 7
There is a separate editor for local security policies - secpol.msc, however, the method for resetting local group policies will not work here, because some of the security policies have default values.
To reset, you can use the command line running as administrator, in which you should enter the command
secedit /configure /cfg %windir%infdefltbase.inf /db defltbase.sdb /verbose
and press Enter.
- How to disable Windows Defender 10 - proven methods
Trick 6: Using environment variables
When you start tormenting group policies, you realize that creating a secure system will require a lot of work. The matter is difficult and with a lot of subtleties. For example, developers suggest that admins use a convenient hint - specify environment variables as paths for SRP restrictions. Yes, here is the problem. The user, if they are not strictly forced, has the opportunity to override them. For example, the admin indicated that executables can be launched from the %TEMP% folder, and the user accepted and redefined it with the following command:
And just like that, I got the opportunity to run files from the root C:. In addition, do not forget about the standard directories from which exe files can be launched:
%HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionSystemRoot%
%HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionSystemRoot%*.exe
%HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionSystemRoot%System32*.exe
They only allow software to be launched from the Windows and Program Files folder for users. The average user does not have the ability to write to them, but there can be problems here too. Since in fact the user has write rights - by default to the folder C:windowssystem32spoolPrinters and C:windowstemp. If the user has the opportunity to write to some directory with software, then the corresponding SRP policies will no longer work. By the way, in order to verify in practice what rights the user has, the tool AccessChk from the same Russinovich will help.
Removing local group policies
Important: This method is potentially undesirable; do it at your own risk. Also, this method will not work for policies changed by making edits in the registry editor, bypassing the policy editors.
Policies are loaded into the Windows registry from files in the WindowsSystem32GroupPolicy and WindowsSystem32GroupPolicyUsers folders. If you delete these folders (you may need to boot into Safe Mode) and restart your computer, the policies will be reset to their default settings.
Removal can also be done in the command line, launched as an administrator, by executing the commands in order (the last command reloads the policies):
RD /S /Q "%WinDir%System32GroupPolicy" RD /S /Q "%WinDir%System32GroupPolicyUsers" gpupdate /force
If none of the methods helped you, you can reset Windows 10 (also available in Windows 8/8.1) to default settings, including saving data.
The Local Group Policy Editor is a powerful tool that allows you to fine-tune Windows settings. It is used mainly by system administrators, but if you understand the matter, ordinary users can use it with equal success. However, neither the first nor the second are immune from mistakes. Sometimes it happens that due to unsuccessful configuration of settings through the local group policy editor, the system begins to work incorrectly.
The best thing to do in such a situation is to return the changed settings to their original state. If there are a lot of changed settings, and you don’t remember what exactly you changed, you can resort to completely resetting all Group Policy Editor settings to default values. Here's how to do it using Windows 10 as an example.
You can reset the policy editor configuration through the policy editor itself. Open it with the command gpedit.msc and go to Computer Configuration -> Administrative Templates -> All Settings . By clicking the impromptu arrow in the “Status” , sort the policies so that those with the status “Enabled” and “Disabled” are at the top of the list, so it will be more convenient for you to work with them.
Then double-click on each of these policies with the mouse and in the settings window set the radio button to “Not configured” .
- 5 Ways to Disable Windows Defender 10
Repeat the same steps for the policy in the User Configuration .
You can also reset Group Policy Editor settings using the command line. Open the console as an administrator and run these three commands in sequence, then restart your computer:
RD /S /Q "%WinDir%System32GroupPolicy" RD /S /Q "%WinDir%System32GroupPolicyUsers" gpudate /force
And finally, the last step is to reset local security policies to default values. This snap-in is a kind of extension of the Local Group Policy component. It opens with the command secpol.msc . To reset it, you can also use the command line launched with administrator rights. The reset command itself looks like this:
secedit /configure /cfg %windir%infdefltbase.inf /db defltbase.sdb /verbose
- How to permanently disable forced updates in Windows 10p
As with the gpedit.msc , you will need to restart your computer to restore the original settings.
Previous Entry | Next Entry
Trick 3. Bypass SRP
Alas, another restriction mechanism appears further on our path - SRP (Software Restriction Policies). This is a group of policies with which the administrator can limit the list of software that a user can run through black and white lists. Blacklist and Whitelist are determined using rules that can be set in several ways: by zone and by certificate (the first two options are practically not used), as well as by the path to the file and by its hash. The fact that SRP policies are in effect in the system is indicated by the corresponding item in the registry - HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoft WindowsSafer CodeIdentifiersTransparentEnabled with a value greater than 0, which, as mentioned above, is checked when the process starts. Our task, accordingly, is to disable this check inside the launched process. Back in 2005, Mark Russinovich published a blog post about bypassing SRP and introduced the GPdisable tool. It performs DLL injection into a given process, loading a special DLL. When a process attempts to obtain the value of the registry key HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSafer CodeIdentifiersTransparentEnabled , that is, it will check for the presence of SRP policies, this library will intercept the request and return STATUS_OBJECT_NAME_NOT_FOUND. Thus, the process thinks that all OK and SRP policies in the system are not in effect. After the purchase of Sysinternals by Microsoft, GPdisable was no longer officially available (but it is still easy to find on the Internet. There are even more advanced solutions. The GPCul8or utility from Eric Rachner performs similar functions, but is available in source code. What does this give us? We can add any other Windows registry values to GPCul8or (DisableTaskMgr, ProxySettingsPerUser for example) and thus bypass all possible policy restrictions. Which values exactly, you ask. RegMon from Mark Russinovich can help you, although, in fact, these are all the values from Policies branches.Another original method was published by Didier Stevens on his blog.Using his bpmtk tool (Basic Process Manipulation Tool Kit), he proposed changing the value of the registry branch required for group policy directly in the process memory.
Cancel group policies on the local computer
Cancel the effect of group policies on the local computer https://windowsnotes.ru/windows-7/otmenyaem-dejstvie-gruppovyx-politik-na-lokalnom-kompyutere/Group policies are the main tool for managing users in a domain. With their help, the administrator can configure almost any parameters of the user's working environment. Everything from prohibiting the launch of certain programs to the picture on the desktop can be set through group policies. Policies are managed at the domain level and only members of the domain or enterprise Administrators group have access to them. Is it possible to undo group policies on a computer without being a domain administrator? Today we will try to find out. As a test subject, let's take a computer with Windows 7 installed on it, which is a member of a domain. We will carry out all actions under a normal account that does not have any administrative rights in the domain. The Group Policy Client (gpsvc) service is responsible for applying group policies on the local computer in Windows 7. Its status can be viewed directly in the Task Manager, on the Services tab.
Or in the Services snap-in.
gpsvc in the Services snap-in The first thing that comes to mind is to simply stop the service and set the startup mode to Disabled. But not everything is as simple as it seems. The gpsvc service runs on behalf of the local system, and we cannot stop it or change its launch parameters from the graphical snap-in.
gpsvc properties Alternatively, you can use the psexec utility to start the command console on behalf of the system and then stop the service with the command
net stop gpsvc
stop gpsvc from the command line But this is a temporary solution. Although the service is stopped, we still cannot change its launch parameters, and the next time it is rebooted, it will be launched. To change the service startup mode, we will need to edit the registry. The service settings are located in the section. By default, changing the parameters of this section is prohibited, so before we can edit it, we need to obtain rights to do so. Right-click on the section and select “Permissions”.
change gpsvc permissions in the registry First of all, we need to change the owner of the section. To do this, go to additional security settings and select your account as the owner.
changing the owner of the gpsvc registry sectionAfter which we give ourselves full rights and, just in case, remove everyone from the access list.
editing the registry key access list Now you can return to the service settings. The Start parameter is responsible for the launch mode. By default it is 2, which means the startup mode is Auto. To disable the service, set it to 4.
configure the gpsvc service startup modeAnd one more thing. By disabling the Group Policy Client service in this way, you will periodically receive notifications in the tray that the Windows service is unavailable.
message about service unavailability To avoid this, you can delete (after saving) the registry key
disable notifications about the unavailability of the gpsvc service. In this simple way you can disable the effect of group policies. In this case, it is not at all necessary to have administrative rights in the domain; you just need to be a member of the local administrators group on the computer. True, such a number can only pass on computers with Windows 7 or Vista. In earlier operating systems there is no gpsvc service, and the Winlogon service is responsible for applying group policies. Yes, I almost forgot. I carried out all the actions described in the article solely for educational purposes.
