Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Domain Controller's Log on Locally rights removed or set to "Not Configured".


Author: Nirmal Sharma MVP

View products that this article applies to.

Summary

In a situation where you have accidentally locked yourself. You have removed Domain Controller's policy: "Log On Locally" and no one is allowed to log on locally on the domain controller.

↑ Back to the top


Symptoms

In a situation where you have�accidentally locked yourself. You have removed Domain Controller's policy: "Log On Locally" and no one is allowed to log on locally on the domain controller. There are few methods that you can use to retrieve the logon rights back.

↑ Back to the top


Resolution

This is only possible if you are facing problems logging on locally. If you have accidentally removed the following rights or have denied yourself then there is no way to make DC operable in this case � but there is way!

Access This Computer From Network
Deny Access This Computer From Network

Okay, let�s talk about �Log on Locally� right and how to get it back.

You can use the following methods outlined below to get it back on track:

Users or Administrators should be able to access this computer remotely as long as the �Access This Computer From Network� logon right is enabled and configured properly.

Method 1

1. Go to a Workstation (XP) or Windows Server
2. Open Active Directory Users and Computers.
3. Right Click on Domain Controllers OU > Property > Group Policy Tab.
4. Change the setting in there for "Log on locally" right.
5. Run PSEXEC to enforce policies on DC.

���������� PSEXEC \\Dc_name secedit /refreshpolicy user_policy
�����������PSEXEC \\Dc_name secedit /refreshpolicy machine_policy

6. Wait for five minutes.
7. Now try to log on to DC locally.

Everything should work.

Method 2

If problem still persists you can follow the steps listed below to manually reset it.

1. Go to a Working DC.
2. Go to SYSVOL.
3. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1} � � � � switch to this one - This is the Default DC GPO.

4. Copy the contents.
5. Access remote computers C:\ drive.
6. Switch to SYSVOL share.
7. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1} � � � �Double click to open this folder.

6. Paste the contents here.
7. Now run PSEXEC command with Secedit to enforce policies.

Please note copying GPO from one DC to another will cause your all settings to be removed.

↑ Back to the top


More information

Please check Sysinternals at Microsoft site for PSEXEC:

http://www.microsoft.com/technet/sysinternals/default.mspx

↑ Back to the top


Community solutions content disclaimer

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.

↑ Back to the top


Keywords: kbpubmvp, kbpubtypecca, kbhowto, KB555845

↑ Back to the top

Article Info
Article ID : 555845
Revision : 1
Created on : 1/10/2007
Published on : 1/10/2007
Exists online : False
Views : 403