Problem solve Get help with specific problems with your technologies, process and projects.

Restoring the domain Group Policy

I recently changed the domain controller Group Policy setting on Windows 2003 Server. Then, I undid the changes that I had made. Now I keep getting the following error message every time I use remote desktop to connect: "The local policy of this system does not allow you to log on interactively." All security settings are back to default (non-configured state). I can connect locally, but even user administrator gets that error for remote desktop log on. I have checked and domainadministrator is included in the user list allowed to access this server through remote desktop. So, what is the problem? Is there a way to reset any corrupt, top level domain group policy setting in the Active Directory without losing all the user names, etc.?
You say you've returned settings to "not configured," but you don't elaborate. Many Group Policy settings affect remote assistance. They may or may not have been set specifically to affect remote assistance. Assuming you are the only one with rights to do so, is it possible that you have not "undone" something you set? Have you checked the settings under "security settings -- local policies -- user rights assignment -- log on locally?" This right is required for remote desktop access. This setting is also required, "security settings -- local policies -- user rights -- access this computer from the network."

Also check "security settings -- local policies -- user rights -- allow log on through terminal services" and the "deny" user rights for these rights. Are both administrative templates -- system -- remote assistance -- solicited remote assistance and administrative templates -- system -- remote assistance -- offer remote assistance settings properly configured?

Have you waited or used gpupdate to speed the processing of Group Policy application? Changes made in GPOs must replicate to domain controllers and then be downloaded to clients. The time that this will take depends on your network and on replication latency. It is also dependent on the client computer authenticating to the DC.

Use GPMC; first to evaluate your domain policy (only those policy settings set will be shown in the settings page ... perhaps you can more easily see a setting that may be interfering) and second to do a Group Policy results ... if the settings all look correct, is the client getting the policy downloaded? Is it being modified by a GPO set on an OU?

The dcgpofix.exe tool is a tool that may be used to restore the domain Group Policy. However, you should use caution using the tool, because it cannot restore your default settings exactly. See Microsoft Knowledge Base article 833783 for more information.

Also consider these best practices:


1. Use GPMC to backup all GPOs before making changes. This way you can easily restore them.
2. Never directly modify the domain default GPO or the domain controller default GPO. Instead, make changes to a new GPO (then it's easy to just delete the GPO).
This was last published in October 2004

Dig Deeper on User passwords and network permissions

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.