CASPol implements a self-protection mechanism that does not allow policy changes that would disrupt CASPol from functioning. There may be two scenarios in which this self-protection mechanism can legitimately be overridden:
In order to override CASPol’s self-protection feature use –force to prefix the policy change option that would otherwise be rejected by CASPol:
Caspol –force –…
In the example below the user policy’s root code group is changed to have the Nothing permission set associated with it.
Caspol –force –user –chggroup 1 Nothing
It should be noted that this option is extremely dangerous. It may cause CASPol to fail functioning, in which case –recovery can not be applied because CASPol may not be able to run.
It is possible to do the manual equivalent of a –recovery operation. The backed up machine and user policy are written to security.cfg.old files. Simply delete the security.cfg of the policy level at which you made the crashing change and rename the security.cfg.old into security.cfg. These files can be located using the Windows Explorer™ search function.