How To Reset User Rights in the Default Domain Group Policy in Windows Server 2003

Article translations Article translations
Article ID: 324800 - View products that this article applies to.
This article was previously published under Q324800
Expand all | Collapse all

On This Page

SUMMARY

This article describes how to reset user rights in the default domain Group Policy object (GPO) in Windows Server 2003. The default domain GPO contains many default user-rights settings. Sometimes, if you change the default settings, unexpected restrictions may be put on user rights. If the changes are unexpected or if the changes were not recorded so that you do not know which changes were made, you may have to reset the user-rights settings to their default values.

This situation may also occur if you manually rebuild the contents of the Sysvol folder, or if you restore it from a backup by using the steps that are included in the following Microsoft Knowledge Base article:

253268 Group Policy Error Message Without Appropriate Sysvol Contents

Reset User Rights for the Default Domain GPO

To restore user rights to use the default settings for the default domain GPO, follow the procedures that are described in this section in the order that they are presented.

Warning Make sure that you use caution when you perform the following procedures. If you configure the GPO template incorrectly, you may cause your domain controllers to be inoperable.

Edit the Gpttmpl.inf File

To edit the Gpttmpl.inf file, follow these steps.

Important Back up the Gpttmpl.inf file before you perform this procedure.
  1. Start Windows Explorer and open the following folder, where Sysvol_path is the path of the Sysvol folder:
    Sysvol_path\Sysvol\DomainName\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit
    Note The default path of the Sysvol folder is %SystemRoot%\Sysvol.
  2. Right-click Gpttmpl.inf, and then click Open.
  3. To completely reset the user rights to the default settings, replace the existing information in the Gpttmpl.inf file with the following default user-rights information. To do so, paste the following text in the appropriate section of your current Gpttmpl.inf file:
    [Unicode]
    Unicode=yes
    [System Access]
    MinimumPasswordAge = 0
    MaximumPasswordAge = 42
    MinimumPasswordLength = 0
    PasswordComplexity = 0
    PasswordHistorySize = 1
    LockoutBadCount = 0
    RequireLogonToChangePassword = 0
    ForceLogoffWhenHourExpire = 0
    ClearTextPassword = 0
    [Kerberos Policy]
    MaxTicketAge = 10
    MaxRenewAge = 7
    MaxServiceAge = 600
    MaxClockSkew = 5
    TicketValidateClient = 1
    [Version]
    signature="$CHICAGO$"
    Revision=1 
  4. On the File menu, click Save, and then click Exit.

    Note The permissions settings that result from this procedure are the same as the permissions that are compatible with pre-Microsoft Windows 2000 users and permissions that are compatible only with Windows 2000 users.

Edit the Gpt.ini File

The Gpt.ini file controls the GPO template version numbers. You must edit the Gpt.ini file to increase the GPO template version number. To do so:
  1. Start Windows Explorer and open the following folder, where Sysvol_path is the path of the Sysvol folder:
    Sysvol_path \Sysvol\Domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
    Note The default path of the Sysvol folder is %SystemRoot%\Sysvol.
  2. Right-click Gpt.ini, and then click Open.
  3. Increase the version number to a number that is sufficient to guarantee that typical replication does not outdate the new version number before the policy is reset. Increment the number either by adding the number "0" to the end of the version number or the number "1" to the beginning of the version number.
  4. On the File menu, click Save, and then click Exit.

Use GPUpdate to Refresh the Group Policy

Apply the new GPO by using the GPUpdate tool to manually reapply all policy settings. To do so:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. At the command prompt, type the following line, and then press ENTER:
    GPUpdate /Force
  4. Type exit and then press ENTER to quit the command prompt.

    Note To look for errors in policy processing, review the event log.
Use Event Viewer to verify that the GPO was successfully applied. To do so:
  1. Click Start, point to Administrative Tools, and then click Event Viewer.
  2. Click Application.

    Look for Event ID 1704 to verify that the GPO was successfully applied.

REFERENCES

For additional information about refreshing policy settings, click the following article number to view the article in the Microsoft Knowledge Base:
298444 A Description of the Group Policy Update Utility

Properties

Article ID: 324800 - Last Review: December 3, 2007 - Revision: 8.4
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
Keywords: 
kbmgmtservices kbhowto kbhowtomaster kbnetwork KB324800

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com