Q

Restoring the domain Group Policy

I recently changed the domain controller Group Policy setting on Windows 2003 Server. Then, I undid the changes that I had made. Now I keep getting the following error message every time I use remote desktop to connect: "The local policy of this system does not allow you to log on interactively." All security settings are back to default (non-configured state). I can connect locally, but even user administrator gets that error for remote desktop log on. I have checked and domainadministrator is included in the user list allowed to access this server through remote desktop. So, what is the problem? Is there a way to reset any corrupt, top level domain group policy setting in the Active Directory without losing all the user names, etc.?
You say you've returned settings to "not configured," but you don't elaborate. Many Group Policy settings affect remote assistance. They may or may not have been set specifically to affect remote assistance. Assuming you are the only one with rights to do so, is it possible that you have not "undone" something you set? Have you checked the settings under "security settings -- local policies -- user rights assignment -- log on locally?" This right is required for remote desktop access. This setting is also required, "security settings -- local policies -- user rights -- access this computer from the network."

Also check "security settings -- local policies -- user rights -- allow log on through terminal services" and the

"deny" user rights for these rights. Are both administrative templates -- system -- remote assistance -- solicited remote assistance and administrative templates -- system -- remote assistance -- offer remote assistance settings properly configured?

Have you waited or used gpupdate to speed the processing of Group Policy application? Changes made in GPOs must replicate to domain controllers and then be downloaded to clients. The time that this will take depends on your network and on replication latency. It is also dependent on the client computer authenticating to the DC.

Use GPMC; first to evaluate your domain policy (only those policy settings set will be shown in the settings page ... perhaps you can more easily see a setting that may be interfering) and second to do a Group Policy results ... if the settings all look correct, is the client getting the policy downloaded? Is it being modified by a GPO set on an OU?

The dcgpofix.exe tool is a tool that may be used to restore the domain Group Policy. However, you should use caution using the tool, because it cannot restore your default settings exactly. See Microsoft Knowledge Base article 833783 for more information.

Also consider these best practices:

 

1. Use GPMC to backup all GPOs before making changes. This way you can easily restore them.
2. Never directly modify the domain default GPO or the domain controller default GPO. Instead, make changes to a new GPO (then it's easy to just delete the GPO).
This was first published in October 2004

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close