JSI Tip 3329. How do I reset User Rights in the Default Domain Group Policy?

In tip 2949 ยป How do I reset User Rights in the Default Domain Controllers GPO?, we reset the user rights in the default domain controller GPO ( Group Policy Object).

If you have changed the default settings for user rights in the default domain GPO, you may experience unexpected or undesireable effects.

If you manually altered the Sysvol or restored it from a backup, you may experience the same symptoms.

To reset the user rights for the default Domain GPO:

1. Backup the GptTmpl.inf file in the Default Domain GPO folder of the Sysvol. Mine is located at:

%SystemRoot%\sysvol\sysvol\<Domain Name>\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9\}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
2. To reset the user rights to the default settings, replace the existing content of the \[Unicode\], \[System Access\], \[Kerberos Policy\], and \[Version\] sections of the Gpttmpl.inf file with the content listed below. You MUST remove the \[Privilege Rights\] section and entries. You may elect to retain the \[Event Audit\] and \[Registry Values\] sections, if they are present, and represent the desired settings.

Default Domain GPO Settings:

\[System Access\]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 1
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
\[Kerberos Policy\]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
3. After making the changes, you must increment the group policy version by opening the Gpt.ini file at
%SystemRoot%\sysvol\sysvol\<Domain Name>\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9\}. It is best to multiply the version by 10 to insure it does not become outdated before the policy can be applied.

4. Save and close the Gpt.ini file.

5. Apply the new group policy by running secedit /refreshpolicy machine_policy /enforce.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.