Group Policy disable the management tool

[Guest]

Hi, my friend company has one domain controller, he changed one domain controller policy settings. After that, he found no AD tool can be used (all of them with a red accross if you open). If open domain policy or domain controller policy, the error message is " The users has not been granted the requested logon type at this computer, failed to topen the group policy object).

From the Local computer policy, I found there is one setting " deny access to this computer from the network" is applied to domain administrators. But it is impossible to change.

Anybody can help?

Thanks

 

[Jimmy Harper [MSFT]]

You can fix this with the following steps:

1. Open the Gpttmpl.inf file in the following location:

\Winnt\Sysvol\Sysvol\<Domainname>\Policies\{6AC1786C-016F-11D2-945F-00C04fB9
84F9}\MACHINE\Microsoft\Windows NT\Secedit

2. Copy everything after SeInteractiveLogonRight=.

3. Paste the text you copied to SeNetworkLogonRight=.

4. Check the SeDenyNetworkLogonRight= and remove everything after =

5. Save the changes and close the file.

6. Refresh the security policy on the DC by opening a cmd prompt and
running the following command:

secedit /refreshpolicy machine_policy /enforce


--
Jimmy Harper [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights

Hi, my friend company has one domain controller, he changed one domain

controller policy settings. After that, he found no AD tool can be used
(all of them with a red accross if you open). If open domain policy or
domain controller policy, the error message is " The users has not been
granted the requested logon type at this computer, failed to topen the group
policy object).

From the Local computer policy, I found there is one setting " deny access

to this computer from the network" is applied to domain administrators. But
it is impossible to change.

 

[Ray Lava [MSFT]]

Ju QI,

There are two ways to resolve this problem.

1. The easiest and quickest way to regain access to those group policies
will be to use ntrights from the Windows 2000 resource kit. The command
that you will use to remove the administrator from the "deny network logon
right" is ntrights -u administrator -m \\computername -r
SeDenyNetworkLogonRight. This should temporarily allow you to log into the
server and manually edit its group policy.

2. You can directly edit the gpttmpl.inf file on the domain controller and
remove all sids associated with the SeDenyNetworkLogonRight. By default no
one is assigned the deny network logon right so removing any sids that you
find in there will be fine. While you are in this gpttmpl.inf file, you may
also want to check the SeDenyInteractiveLogonRight and make sure that no
sids are listed there as well. After this you can reboot the domain
controller and you should be able to logon locally and over the network
again.

You can find the Default Domain Controller's gpttmpl.inf file in the
following location:

winnt\sysvol\sysvol\yourdomainname.com\policies\6AC1786C...\machine\Windows
NT\secedit

Just for good measure, you might also want to check the default domain
policy to make sure that the deny network logon right is not set there as
well. Its gpttmpl.inf file can be found at this location:

winnt\sysvol\sysvol\yourdomainname.com\policies\31B2F340...\machine\Windows
NT\secedit

I hope this helps.

Best Regards,


Ray Lava
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights

Hi, my friend company has one domain controller, he changed one domain

controller policy settings. After that, he found no AD tool can be used
(all of them with a red accross if you open). If open domain policy or
domain controller policy, the error message is " The users has not been
granted the requested logon type at this computer, failed to topen the group
policy object).

From the Local computer policy, I found there is one setting " deny access

to this computer from the network" is applied to domain administrators. But
it is impossible to change.