Microsoft KB Archive/324800

= How To Reset User Rights in the Default Domain Group Policy in Windows Server 2003 =

Article ID: 324800

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q324800



For a Microsoft Windows 2000 version of this article, see 226243.

IN THIS TASK

 * SUMMARY
 * Reset User Rights for the Default Domain GPO
 * Edit the Gpttmpl.inf File
 * Edit the Gpt.ini File
 * Use GPUpdate to Refresh the Group Policy
 * REFERENCES



SUMMARY
This article describes how to reset user rights in the default domain Group Policy object (GPO) in Windows Server 2003. The default domain GPO contains many default user-rights settings. Sometimes, if you change the default settings, unexpected restrictions may be put on user rights. If the changes are unexpected or if the changes were not recorded so that you do not know which changes were made, you may have to reset the user-rights settings to their default values.

This situation may also occur if you manually rebuild the contents of the Sysvol folder, or if you restore it from a backup by using the steps that are included in the following Microsoft Knowledge Base article:

253268 Group Policy Error Message Without Appropriate Sysvol Contents

back to the top

Reset User Rights for the Default Domain GPO
To restore user rights to use the default settings for the default domain GPO, follow the procedures that are described in this section in the order that they are presented.

Warning Make sure that you use caution when you perform the following procedures. If you configure the GPO template incorrectly, you may cause your domain controllers to be inoperable.

back to the top

Edit the Gpttmpl.inf File
To edit the Gpttmpl.inf file, follow these steps.

Important Back up the Gpttmpl.inf file before you perform this procedure.  Start Windows Explorer and open the following folder, where  is the path of the Sysvol folder:

\Sysvol\ \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit

Note The default path of the Sysvol folder is %SystemRoot%\Sysvol. Right-click Gpttmpl.inf, and then click Open.  To completely reset the user rights to the default settings, replace the existing information in the Gpttmpl.inf file with the following default user-rights information. To do so, paste the following text in the appropriate section of your current Gpttmpl.inf file: [Unicode] Unicode=yes [System Access] MinimumPasswordAge = 0 MaximumPasswordAge = 42 MinimumPasswordLength = 0 PasswordComplexity = 0 PasswordHistorySize = 1 LockoutBadCount = 0 RequireLogonToChangePassword = 0 ForceLogoffWhenHourExpire = 0 ClearTextPassword = 0 [Kerberos Policy] MaxTicketAge = 10 MaxRenewAge = 7 MaxServiceAge = 600 MaxClockSkew = 5 TicketValidateClient = 1 [Version] signature=&quot;$CHICAGO$&quot; Revision=1  On the File menu, click Save, and then click Exit.

Note The permissions settings that result from this procedure are the same as the permissions that are compatible with pre-Microsoft Windows 2000 users and permissions that are compatible only with Windows 2000 users.

back to the top

Edit the Gpt.ini File
The Gpt.ini file controls the GPO template version numbers. You must edit the Gpt.ini file to increase the GPO template version number. To do so:  Start Windows Explorer and open the following folder, where  is the path of the Sysvol folder:

\Sysvol\Domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

Note The default path of the Sysvol folder is %SystemRoot%\Sysvol.</li> Right-click Gpt.ini, and then click Open.</li> Increase the version number to a number that is sufficient to guarantee that typical replication does not outdate the new version number before the policy is reset. Increment the number either by adding the number &quot;0&quot; to the end of the version number or the number &quot;1&quot; to the beginning of the version number.</li> On the File menu, click Save, and then click Exit.</li></ol>

back to the top

Use GPUpdate to Refresh the Group Policy
Apply the new GPO by using the GPUpdate tool to manually reapply all policy settings. To do so:  Click Start, and then click Run.</li> In the Open box, type cmd, and then click OK.</li> At the command prompt, type the following line, and then press ENTER:

GPUpdate /Force

</li> Type exit and then press ENTER to quit the command prompt.

Note To look for errors in policy processing, review the event log.</li></ol>

Use Event Viewer to verify that the GPO was successfully applied. To do so:
 * 1) Click Start, point to Administrative Tools, and then click Event Viewer.
 * 2) Click Application.

Look for Event ID 1704 to verify that the GPO was successfully applied.

back to the top

<div class="references_section">