User rights assignment policy settings do not apply successfully to Windows Server 2003 computers


Symptoms


Consider the following scenario:

A Group Policy Object (GPO) has user rights assignments defined and is linked to an organizational unit (OU) in Active Directory. You notice that the user rights assignment policy settings are not being applied successfully. When you open the Resultant Set of Policy snap-in (RSOP.msc) on Windows Server 2003 member servers to which the policy should apply, you see a red X for the user rights assignments that are defined in the GPO. The user rights assignments are located in the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Users Rights Assignment

Cause


Registry keys are missing under the following registry location, where <SID> represents a security identifier.

HKEY_LOCAL_MACHINE\Security\Policy\Accounts\<SID>

Resolution


Use the following steps to resolve the issue:

  1. Run the Psexec tool to launch the Registry Editor (Regedit.exe) under the system security context.

    psexec -s -i regedit.exe

    The Psexec tool is available from the following location on the Microsoft web site:

    http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

  2. Navigate to the registry location below and highlight the SID that is missing subkeys and delete it.

  3. Run the Gpupdate tool from a command prompt to refresh the policy. The user rights will apply successfully and will no longer show a red X in RSOP.msc.

    gpupdate /force