JSI Tip 2949. How do I reset User Rights in the Default Domain Controllers GPO?

In tip 2714, I described how to reset default NTFS permission.

If you have mis-altered the default User Rights, you may experience strange results. To reset the User Rights requires:

1. Backing up and then editing the GptTmpl.inf file in the Group Policy folder of the Sysvol. Mine is located at:

%SystemRoot%\sysvol\sysvol\<Domain Name>\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9\}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

To reset the User Rights replace the contents of GptTmpl.inf with one of the following, based upon your installation:

Permissions Compatible with Pre-Windows 2000 Users

   \[Unicode\]
   Unicode=yes
   \[Event Audit\]
   AuditSystemEvents = 0
   AuditLogonEvents = 0
   AuditObjectAccess = 0
   AuditPrivilegeUse = 0
   AuditPolicyChange = 0
   AuditAccountManage = 0
   AuditProcessTracking = 0
   AuditDSAccess = 0
   AuditAccountLogon = 0
   \[Privilege Rights\]
   SeAssignPrimaryTokenPrivilege =
   SeAuditPrivilege =
   SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
   SeBatchLogonRight = 
   SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
   SeCreatePagefilePrivilege = *S-1-5-32-544
   SeCreatePermanentPrivilege =
   SeCreateTokenPrivilege =
   SeDebugPrivilege = *S-1-5-32-544
   SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
   SeIncreaseQuotaPrivilege = *S-1-5-32-544
   SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
   SeLoadDriverPrivilege = *S-1-5-32-544
   SeLockMemoryPrivilege =
   SeMachineAccountPrivilege = *S-1-5-11  
   SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
   SeProfileSingleProcessPrivilege = *S-1-5-32-544
   SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
   SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
   SeSecurityPrivilege = *S-1-5-32-544
   SeServiceLogonRight =
   SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
   SeSystemEnvironmentPrivilege = *S-1-5-32-544
   SeSystemProfilePrivilege = *S-1-5-32-544
   SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544
   SeTakeOwnershipPrivilege = *S-1-5-32-544
   SeTcbPrivilege =
   SeDenyInteractiveLogonRight =
   SeDenyBatchLogonRight =
   SeDenyServiceLogonRight =
   SeDenyNetworkLogonRight =
   SeUndockPrivilege = *S-1-5-32-544
   SeSyncAgentPrivilege =
   SeEnableDelegationPrivilege = *S-1-5-32-544
   \[Version\]
   signature="$CHICAGO$"
   Revision=1
   \[Registry Values\]
   MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1

NOTE: If IIS is installed, add:

   SeBatchLogonRight = IWAM_<servername>,IUSR_<servername>
   SeInteractiveLogonRight = IUSR_<servername>
   SeNetworkLogonRight = IWAM_<servername>,IUSR_<servername>

NOTE: If Terminal Services is installed, add:

   SeInteractiveLogonRight = TsInternetUser 

Permissions Compatible Only with Windows 2000 Users

   \[Unicode\]
   Unicode=yes 
   \[Event Audit\]
   AuditSystemEvents = 0
   AuditLogonEvents = 0
   AuditObjectAccess = 0
   AuditPrivilegeUse = 0
   AuditPolicyChange = 0
   AuditAccountManage = 0
   AuditProcessTracking = 0
   AuditDSAccess = 0  
   AuditAccountLogon = 0
   \[Privilege Rights\]
   SeAssignPrimaryTokenPrivilege =
   SeAuditPrivilege =
   SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
   SeBatchLogonRight = 
   SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
   SeCreatePagefilePrivilege = *S-1-5-32-544
   SeCreatePermanentPrivilege =
   SeCreateTokenPrivilege =
   SeDebugPrivilege = *S-1-5-32-544
   SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
   SeIncreaseQuotaPrivilege = *S-1-5-32-544
   SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
   SeLoadDriverPrivilege = *S-1-5-32-544
   SeLockMemoryPrivilege =
   SeMachineAccountPrivilege = *S-1-5-11
   SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
   SeProfileSingleProcessPrivilege = *S-1-5-32-544
   SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
   SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
   SeSecurityPrivilege = *S-1-5-32-544
   SeServiceLogonRight =
   SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
   SeSystemEnvironmentPrivilege = *S-1-5-32-544
   SeSystemProfilePrivilege = *S-1-5-32-544
   SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544
   SeTakeOwnershipPrivilege = *S-1-5-32-544
   SeTcbPrivilege =
   SeDenyInteractiveLogonRight =
   SeDenyBatchLogonRight =
   SeDenyServiceLogonRight =
   SeDenyNetworkLogonRight =
   SeUndockPrivilege = *S-1-5-32-544
   SeSyncAgentPrivilege =
   SeEnableDelegationPrivilege = *S-1-5-32-544
   \[Version\]
   signature="$CHICAGO$"
   Revision=1
   \[Registry Values\]
   MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1

NOTE: If IIS is installed, add:

   SeBatchLogonRight = IWAM_<servername>,IUSR_<servername>
   SeInteractiveLogonRight = IUSR_<servername>
   SeNetworkLogonRight = IWAM_<servername>,IUSR_<servername>

NOTE: If Terminal Services is installed, add:

   SeInteractiveLogonRight = TsInternetUser

2. Save and close the GptTmpl.inf file.

3. Increment the group policy version by opening the Gpt.ini file at %SystemRoot%\sysvol\sysvol\<Domain Name>\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9\}. It is best to multiply the version by 10 to insure it does not become outdated before the policy can be applied.

4. Save and close the Gpt.ini file.

5. Open a CMD prompt and type:

secedit /refreshpolicy machine_policy /enforce.

6. Check the Application event log for Event ID 1704, to verify that the policy has been propogated.