...You might end up administratively locking yourself out of Windows!
I'm off to Jamaica tomorrow to replace a computer that's myseriously crashed AGAIN, so we decided to lock-down the desktop on the replacement a little tighter than we normally do. We decided that all we wanted this machine to do is run Internet Explorer, and only be allowed to connect to one website.
I opened gpedit.msc to adjust the Local Security Policy on the machine, went to User settings, and found the Only run allowed windows programs setting and enabled it. I added C:\Program Files\Internet Explorer\iexplore.exe to the list and clicked ok, closed the editor, logged off and logged on as the end-user and tried to run anything, and it wouldnt let me. I fired up IE and it worked, and tried to go to my website. It wouldnt let me, it popped up the Content Advisor window and asked for the password. The hint window has our support phone number on it with “If you believe you are getting this message in error, please call the IT Dept at xxx-xxx-xxxx” I went to the allowed website, and it worked fine. I then went to log back on as Administrator and adjust the program settings again.
It wouldnt let me. Uh-oh. Bad news. I couldnt do ANYTHING. no command prompt, no explorer, no mmc, no nothing. Oops. I messed with it for a bit, tried to connect to the registry remotely from my computer, nothin happened.
I decided to bring the machine home with me, to save me a stop in the AM on the way to the airport, and also see if I could get back into it, and if not, reformat and reinstall Windows, patch it, install the s/w again and then leave it alone.
I busted out the Knoppix disc, to try out hacks #73, 75 and 77: Captive (read/write) NTFS, the Debian package chntpw (ChangeNTPassword) program and editing the windows registry from the BASH prompt. Pretty advanced stuff, considering I can fit all my linux knowledge in my pinky.
It took a little bit of work to get CaptiveNTFS to work, but I got it working. Had to download some drivers from the WindowsXP SP1a file, which was 30mb, but in the end, it worked. Next up was obtaining and running chntpw from http://packages.debian.org/unstable/chntpw and downloading it. Then I had to use a program called Alien to change it to a gzip, and then unzip it and move it into my home folder. Finally I had to navigate to the mounted NTFS drive, go to windows\system32\config and use chntpw -e to edit the registry and then navigate through the various hives and make some changes.
After all that was done, I unmounted the NTFS partitions and rebooted back into Windows... and it didn't work. AUGH. As a last resort, I tried logging in as the Domain Administrator (rather than local) with cached credentials (since I was at home, and not at work) and it worked! I ran gpedit and disabled that security setting for now until I can play with it a bit more and avoid “locking myself out” again. :)
No links for now, I have to get to bed, the flight tomorrow morning is at 7am, which means I have to be at the airport before 6am, which means I have to get up at 0500. What's the 0 stand for? 0 MY GOD ITS EARLY.