Workstation and Apps Restrictions
Novell Cool Solutions: Trench
Digg This -
Posted: 3 Jun 2004
Question: Noah G. wrote: I am working with a NetWare 6/ Windows NT 4 network. The workstations consist of several 95/98 desktops and a few 98 laptops (we are in the process of upgrading). Applications are sent down by ZENworks. We have set up some fairly strict policies that get in the way of administration sometimes. One such policy prevents them from installing anything including running install.exe or setup.exe.
We have had times when the NIC or something else will go bad, and the administrator can't log onto the workstation due to restrictions in place on the workstation. If the administrator could log in, then the restrictions would be removed. Is there a way to remove the restrictions from a workstation or laptop that can't login anymore without totally reinstalling it?
Answer: It's not easy to do this with Windows 9x as it's not truly multi-user aware.
The solution with Windows NT/2000/XP is to have a different policy set for administrators.
Anyone out there have a sneaky method of doing this? Let us know.
Under Win 9x I put poledit.exe and a copy of the adm files on a floppy disk. I had a hole in the workstation's restrictions so if the computer was disconnected from the network I could go in as default user and run poledit.exe from the floppy to unrestrict the workstation.
We sometimes have a similar problem when a workstation cannot connect to a network and subsequently download the ZENworks policies, the last policy loaded remains active, usually locking access to numerous useful things - network properties, display properties, regedit, etc.
My solution is to have a copy of poledit.exe (from 98 cd in \tools\reskit\netadmin\poledit) installed somewhere on the workstation (renamed and hidden somewhere if you are worried about it being on the workstation). It is then a simple matter of kicking off poledit, opening the registry and enabling whatever you need access to. Once saved, the changes are immediate.
I'm not sure under what circumstances this would not work. There is always a way into a 9x workstation if you just want to run an app. If you have an allowed application policy just rename poledit to something that is allowed to run.