How to reset user rights in the Default Domain Controllers Group Policy object

How to reset user rights in the Default Domain Controllers Group Policy object

SUMMARY
The Default Domain Controllers Group Policy object (GPO) contains many default user-rights settings. In some cases, changing the default settings may produce undesirable effects. This may result in a condition where unexpected restrictions exist on the user rights. If the changes are unexpected, or if the changes were not recorded so that it is unknown which changes were made, it may be necessary to reset these user-rights settings to their defaults.

This situation may also result if the contents of the Sysvol folder were manually rebuilt, or restored from backup by using the procedures in the following article in the Microsoft Knowledge Base:
253268 Group Policy Error Message When Appropriate Sysvol Contents Are Missing
It may be also necessary to reset the SeInteractiveLogonRight and SeDenyInteractiveLogonRight user-rights settings to their defaults if you receive the following error message when you try to log on to the console of the domain controller:
The local policy of this system does not permit you to logon interactively
MORE INFORMATION
There are three steps required to reset the user rights assignments for the GPO: 1. Log on to Directory Services Restore Mode.
2. Edit the GptTmpl.inf file.
3. Increment the group policy version (this change is made in the Gpt.ini).
4. Apply the new group policy.

Note Be cautious when performing these steps. Incorrectly configuring the GPO template may render your domain controllers inoperable. 1. Edit the GptTmpl.inf file. The User Rights settings may be reset to the defaults by editing the GptTmpl.inf file. This file is located in the Group Policy folder under the Sysvol folder:
sysvol path\sysvol\domain name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
Note The default path for the Sysvol folder is %SystemRoot%\Sysvol

To completely reset the user rights to the default settings, replace the existing information in the GptTmpl.inf file with the following default user-rights information. You can copy, and then paste the appropriate section below into your existing GptTmpl.inf file.

Please note the permissions settings for each template. You should use the correct template for your installation based on your desired user-rights settings.

Note Microsoft strongly recommends backing up the GptTmpl.inf file before making these changes.
Permissions compatible with Pre-Windows 2000 users
[Unicode]
Unicode=yes
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Privilege Rights]
SeAssignPrimaryTokenPrivilege =
SeAuditPrivilege =
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight =
SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreatePermanentPrivilege =
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544
SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-544
SeLockMemoryPrivilege =
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeServiceLogonRight =
SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeTcbPrivilege =
SeDenyInteractiveLogonRight =
SeDenyBatchLogonRight =
SeDenyServiceLogonRight =
SeDenyNetworkLogonRight =
SeUndockPrivilege = *S-1-5-32-544
SeSyncAgentPrivilege =
SeEnableDelegationPrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
Note If Internet Information Services is installed, you must append the following user accounts to those already listed for these rights:
SeBatchLogonRight = IWAM_%servername%,IUSR_%servername%
SeInteractiveLogonRight = IUSR_%servername%
SeNetworkLogonRight = IWAM_%servername%,IUSR_%servername%
where the %servername% variable is a placeholder, and you should edit it to reflect the computer settings.

An example would look like this:
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0, IWAM_testserver1, IUSR_testserver1
Note If Terminal Services is installed, you must append the following user account to those already listed for this right:
SeInteractiveLogonRight = TsInternetUser
An example would look like this:
SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544, TsInternetUser
-or this-
SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544,IWAM_testserver1, IUSR_testserver1,TsInternetUser
Permissions compatible only with Windows 2000 users
[Unicode]
Unicode=yes
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Privilege Rights]
SeAssignPrimaryTokenPrivilege =
SeAuditPrivilege =
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight =
SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreatePermanentPrivilege =
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544
SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-544
SeLockMemoryPrivilege =
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeServiceLogonRight =
SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeTcbPrivilege =
SeDenyInteractiveLogonRight =
SeDenyBatchLogonRight =
SeDenyServiceLogonRight =
SeDenyNetworkLogonRight =
SeUndockPrivilege = *S-1-5-32-544
SeSyncAgentPrivilege =
SeEnableDelegationPrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
Note If Internet Information Services is installed, you have to add the following user rights. The servername variable is a placeholder, and you should edit it to reflect the computer settings:
SeBatchLogonRight = IWAM_servername,IUSR_servername
SeInteractiveLogonRight = IUSR_servername
SeNetworkLogonRight = IUSR_servername
Save, and then close the new GptTmpl.inf file.

2. Increment the group policy version. You must increase the group policy version to ensure that the policy changes are retained. The Gpt.ini file controls the Group Policy Template version numbers. a. Open the Gpt.ini file from the following location:
sysvol path\sysvol\domain name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
b. Increase the version number to a number large enough to guarantee that normal replication will not make the new version number become outdated before the policy can be reset. It is preferable to increment the number by either adding the number "0" to the end of the version number, or the number "1" to the beginning of the version number.
c. Save and close the Gpt.ini file.

3. Apply the new group policy. Use Secedit to manually refresh the group policy. This can be accomplished by typing the following line at a command prompt:
secedit /refreshpolicy machine_policy /enforce
In Event Viewer, check the Application Log for event number "1704" to verify successful policy propagation. For more information about refreshing the group policy, click the following article number to view the article in the Microsoft Knowledge Base:
227448 Using Secedit.exe to force group policy to be applied again

Comments

Post a Comment

Popular posts from this blog

Exchange Server Error -1018: How Microsoft IT Recovers Damaged Exchange Databases

Image
I found this paper on the showcase site from microsoft I hope it is of help to you. It sure helped me!     Technical White Paper Published: August 1, 2005 Executive Summary Error –1018 (JET_errReadVerifyFailure) is a familiar—and dreaded—error in Microsoft® Exchange Server. It indicates that an Exchange database file has been damaged by a failure or problem in the underlying file system or hardware. This paper explains the conditions that result in error –1018. It also covers the detection mechanisms that Exchange uses to discover and recover from damage to its database files. The Microsoft Information Technology group (Microsoft IT) runs one of the most extensive Exchange Server organizations in the world. Exchange administrators at Microsoft have investigated and recovered from dozens of –1018 error problems. This paper shows you how Microsoft IT monitors fo
Read more

Server and Domain Isolation Using IPsec and Group Policy

Image
Microsoft Solutions for Security and Compliance Server and Domain Isolation Using IPsec and Group Policy © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Table of Contents Chapter 1: Introduction to Server and Domain Isolation. 1 Executive Summary. 1 Who Should Read This Guide. 2 The Business Challenge. 3 The Business Benefits. 3 The Technology Challenge. 4 Creating a Project Team.. 6 Guide Overview.. 7 Chapter 1: Introduction to Server and Domain Isolation. 7 Chapter 2: Understanding Server and Domain Isolation. 7 Chapter 3: Determining the Current State of Your IT Infrastructure. 7 Chapter 4: Designing and Planning Isolation Groups. 8 Chapter 5: Creating IPsec Policies for Isolation Groups.
Read more

[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute

Image
I had the error below in my application eventlog.     Event Type:    Error Event Source:    Userenv Event Category:    None Event ID:    1085 Date:        30-09-2008 Time:        15:20:30 User:        NT AUTHORITY\SYSTEM Computer:    TBG-TS01 Description: The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .   My problem was with my site to zone assignment list I used a wildcard like this: “ *microsoft.com ” but what you need to do is this “ *.microsoft.com ” So it is safe to say that the documentation from microsoft needs some sort of an update stating that you can only use a wildcard infront of dot. Below is the microsoft explaination:   This policy setting allows you to manage a list of sites that you want to associate with a particular s
Read more