In "Don't Shoot Yourself in the Foot with Group Policy Security Settings, Part 1," http://www.winnetmag.com, InstantDoc ID 21656, you warned that within Group Policy Objects (GPOs) that are applied to domain controllers (DCs), removing all users and groups from the Access this computer from the network user right or assigning all users the Deny access to this computer from the network user right can cause severe problems. Can I manually grant the Access this computer from the network right to users without using a GPO?
The problems associated with removing all users and groups from the Access this computer from the network user right or assigning all users the Deny access to this computer from the network user right include preventing administrators—even those who are logged on locally—from running administrative tools, such as DNS Manager and the Microsoft Management Console (MMC) Active Directory Users and Computers, Active Directory Domains and Trusts, Active Directory Sites and Services, and Group Policy snap-ins. However, Microsoft has documented a way to manually edit gpttmpl.inf, the file that maintains rights assignments in a GPO, to grant the Access this computer from the network right to users on the DC.
At a DC console, log on as a member of Domain Admins, open Windows Explorer, navigate to %winroot%\Sysvol\Sysvol\Domainname\Policies, and examine the subfolders. Each subfolder in the Policies folder corresponds to a GPO in your domain. However, the subfolder names don't correspond to the GPO names. Rather, each subfolder derives its name from the corresponding GPO's globally unique identifier (GUID)—a complex string that looks something like \{31B2F340-016D-11D2-945F-00C04FB984F9\}. Without being able to open the Active Directory Users and Computers snap-in, you can't easily obtain a GPO's GUID, so you'll need to do some detective work to determine the GUID of the GPO you're interested in. Within each GPO subfolder, you'll find gpttmpl.inf in Machine\Microsoft\Windows NT\SecEdit, as Figure 1 shows. You need to determine which subfolder corresponds to the GPO that restricts the Access this computer from the network right and edit that folder's gpttmpl.inf file. If you can't figure out the correct subfolder to edit, you can simply edit temporarily every GPO's gpttmpl.inf file.
Use Notepad to open the file, then look for a line that starts with SeNetworkLogonRight=. In this line, the GPO stores assignments for the Access this computer from the network right. Replace everything after the equals sign (=) with the string *S-1-1-0, which corresponds to the SID of the Everyone group. Then, look for a line that starts with SeDenyNetworkLogonRight=. The GPO stores assignments for the Deny access to this computer from the network right in this line. Delete everything after the equals sign on that line. (Policies that don't contain either of these lines are configured as Not defined in the GPO.) Save and close gpttmpl.inf.
Next, open the gpt.ini subfolder in the GPO's folder. You'll find a line that starts with Version=. Increment the number that follows the equals sign, then save and close the file.
Finally, run the command
secedit /refreshpolicy machine_policy /enforce
from the command line to force the DC to reapply Group Policy and thus update the rights assignments. After you log off and log back on to the DC, you should be able to run the Active Directory Users and Computers snap-in and other tools that depend on the Access this computer from the network right. For more details, see the Microsoft articles "'Access This Computer from the Network' User Right Causes Tools Not to Work" (http://support.microsoft.com/?kbid=257346), "Using Secedit.exe to Force Group Policy to Be Applied Again" (http://support.microsoft.com/?kbid=227448), and "Replication Does Not Work After Upgrading to Windows 2000" (http://support.microsoft.com/?kbid=249261).
