JSI Tip 3329. How do I reset User Rights in the Default Domain Group Policy?

In tip 2949 How do I reset User Rights in the Default Domain Controllers GPO?, we reset the user rights in the default domain controller GPO (Group Policy Object).

If you have changed the default settings for user rights in the default domain GPO, you may experience unexpected or undesireable effects.

If you manually altered the Sysvol or restored it from a backup, you may experience the same symptoms.

To reset the user rights for the default Domain GPO:

1. Backup the GptTmpl.inf file in the Default Domain GPO folder of the Sysvol. Mine is located at:

%SystemRoot%sysvolsysvolPolicies\{31B2F340-016D-11D2-945F-00C04FB984F9}MACHINEMicrosoftWindows NTSecEditGptTmpl.inf.

2. To reset the user rights to the default settings, replace the existing content of the [Unicode], [System Access], [Kerberos Policy], and [Version] sections of the Gpttmpl.inf file with the content listed below. You MUST remove the [Privilege Rights] section and entries. You may elect to retain the [Event Audit] and [Registry Values] sections, if they are present, and represent the desired settings.

Default Domain GPO Settings:

[Unicode]Unicode=yes[System Access]MinimumPasswordAge = 0MaximumPasswordAge = 42MinimumPasswordLength = 0PasswordComplexity = 0PasswordHistorySize = 1LockoutBadCount = 0RequireLogonToChangePassword = 0ForceLogoffWhenHourExpire = 0ClearTextPassword = 0[Kerberos Policy]MaxTicketAge = 10MaxRenewAge = 7MaxServiceAge = 600MaxClockSkew = 5TicketValidateClient = 1[Version]signature="$CHICAGO$"Revision=1

3. After making the changes, you must increment the group policy version by opening the Gpt.ini file at
%SystemRoot%sysvolsysvolPolicies\{31B2F340-016D-11D2-945F-00C04FB984F9}. It is best to multiply the version by 10 to insure it does not become outdated before the policy can be applied.

4. Save and close the Gpt.ini file.

5. Apply the new group policy by running secedit /refreshpolicy machine_policy /enforce.