Click here to get back home

Reset Group Policy back to out of the box default
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Reset Group Policy back to out of the box default seh 08-28-2006
Posted by seh on August 28, 2006, 11:19 am
Please log in for more thread options
 Does anyone know how to reset the policy settings back to the default out of
the box settings? We had a "power user" decide he needed to update his stand
alone server with member server updates. Now everyone is locked out and
unable to log in. I can map a drive to the box and connect to the box w/
mmc. I've ran ntrights to add LogonRights, but it still fails. It cycles
between to errors, Policy doesn't allow you to log on locally and Not in the
Allow Remote Login.
Any suggestions?
Thanks,
seh

Posted by Ben Miller on August 28, 2006, 11:33 am
Please log in for more thread options
 Seh,

This link might be able to provide some insight:

http://support.microsoft.com/?id=226243

On a side note, I think that I would revoke this users "Power User"
privileges.

Hope this helps!

-Ben

"seh" wrote:

> Does anyone know how to reset the policy settings back to the default out of
> the box settings? We had a "power user" decide he needed to update his stand
> alone server with member server updates. Now everyone is locked out and
> unable to log in. I can map a drive to the box and connect to the box w/
> mmc. I've ran ntrights to add LogonRights, but it still fails. It cycles
> between to errors, Policy doesn't allow you to log on locally and Not in the
> Allow Remote Login.
> Any suggestions?
> Thanks,
> seh

Posted by Steven L Umbach on August 28, 2006, 1:11 pm
Please log in for more thread options
Good thought but he is talking about a non domain computer.

Steve


> Seh,
>
> This link might be able to provide some insight:
>
> http://support.microsoft.com/?id=226243
>
> On a side note, I think that I would revoke this users "Power User"
> privileges.
>
> Hope this helps!
>
> -Ben
>
> "seh" wrote:
>
>> Does anyone know how to reset the policy settings back to the default out
>> of
>> the box settings? We had a "power user" decide he needed to update his
>> stand
>> alone server with member server updates. Now everyone is locked out and
>> unable to log in. I can map a drive to the box and connect to the box w/
>> mmc. I've ran ntrights to add LogonRights, but it still fails. It
>> cycles
>> between to errors, Policy doesn't allow you to log on locally and Not in
>> the
>> Allow Remote Login.
>> Any suggestions?
>> Thanks,
>> seh



Posted by Steven L Umbach on August 28, 2006, 1:10 pm
Please log in for more thread options
Assuming you have access to the server over the network as an administrator
as evidenced by your ability to access and administrative share such as C$
then NTRights should work. Keep in mind that the privilege you specify with
NTRights is case sensitive which means that SeInteractiveLogonRight and
SeDenyInteractiveLogonRight need to be typed exactly as shown. Also the
server may need to be rebooted after changing user rights. I would try
giving everyone +r SeInteractiveLogonRight and then grant everyone, users,
authenticated users, and administrators -r SeInteractiveLogonRight as any
user that is included in deny logon user right will not be allowed to logon
even if they have allow user right. If none of that helps you could also try
using psexec from SysInternals/Microsoft to access the command prompt on the
locked out server and use secedit to reset user rights back to default
defined levels being sure to add areas / user_rights to the end of the
command as shown in the KB article below. If you don't specify /areas the
command will disable many critical services on Windows 2003.

Steve

http://www.sysinternals.com/Utilities/PsExec.html --- psexec
http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

> Does anyone know how to reset the policy settings back to the default out
> of
> the box settings? We had a "power user" decide he needed to update his
> stand
> alone server with member server updates. Now everyone is locked out and
> unable to log in. I can map a drive to the box and connect to the box w/
> mmc. I've ran ntrights to add LogonRights, but it still fails. It cycles
> between to errors, Policy doesn't allow you to log on locally and Not in
> the
> Allow Remote Login.
> Any suggestions?
> Thanks,
> seh



Posted by seh on August 28, 2006, 3:18 pm
Please log in for more thread options
Steve,
Thanks for the info. I've tried the +r SeInteractive and -r SeDeny for
admin. I'll try it for all other groups as well. I'm assuming in your
response, for the -r it would be SeDenyInteractive...?
Thanks,
seh

"Steven L Umbach" wrote:

> Assuming you have access to the server over the network as an administrator
> as evidenced by your ability to access and administrative share such as C$
> then NTRights should work. Keep in mind that the privilege you specify with
> NTRights is case sensitive which means that SeInteractiveLogonRight and
> SeDenyInteractiveLogonRight need to be typed exactly as shown. Also the
> server may need to be rebooted after changing user rights. I would try
> giving everyone +r SeInteractiveLogonRight and then grant everyone, users,
> authenticated users, and administrators -r SeInteractiveLogonRight as any
> user that is included in deny logon user right will not be allowed to logon
> even if they have allow user right. If none of that helps you could also try
> using psexec from SysInternals/Microsoft to access the command prompt on the
> locked out server and use secedit to reset user rights back to default
> defined levels being sure to add areas / user_rights to the end of the
> command as shown in the KB article below. If you don't specify /areas the
> command will disable many critical services on Windows 2003.
>
> Steve
>
> http://www.sysinternals.com/Utilities/PsExec.html --- psexec
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
>
> > Does anyone know how to reset the policy settings back to the default out
> > of
> > the box settings? We had a "power user" decide he needed to update his
> > stand
> > alone server with member server updates. Now everyone is locked out and
> > unable to log in. I can map a drive to the box and connect to the box w/
> > mmc. I've ran ntrights to add LogonRights, but it still fails. It cycles
> > between to errors, Policy doesn't allow you to log on locally and Not in
> > the
> > Allow Remote Login.
> > Any suggestions?
> > Thanks,
> > seh
>
>
>

Similar ThreadsPosted
secpol on DC vs. Default Domain Policy? November 30, 2006, 6:12 pm
Default Domain Controllers Policy scope May 15, 2006, 11:26 am
Default Domain Users group March 24, 2008, 1:59 pm
Default domain controllers policy not applied to my server (2k3 sbs) January 3, 2006, 8:32 am
possible to change Default Share Permission for Group "Everyone"? June 6, 2005, 1:26 pm
XP 64 OS reset Administrator Password with reset CD? March 28, 2006, 1:10 pm
Group Policy???? June 26, 2005, 11:39 am
Group Policy April 25, 2006, 11:58 pm
Group Policy May 7, 2007, 3:57 pm
Set MaximumDynamicBacklog via Group Policy? October 26, 2005, 11:12 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap