Domain Controller’s Log on Locally rights removed or set to "Not Configured".

In a situation where you have accidentally locked yourself. You have removed Domain Controller’s policy: “Log On Locally” and no one is allowed to log on locally on the domain controller. There are few methods that you can use to retrieve the logon rights back.

This is only possible if you are facing problems logging on locally. If you have accidentally removed the following rights or have denied yourself then there is no way to make DC operable in this case – but there is way!

Access This Computer From Network

Deny Access This Computer From Network

Okay, let’s talk about “Log on Locally” right and how to get it back.

You can use the following methods outlined below to get it back on track:

Users or Administrators should be able to access this computer remotely as long as the “Access This Computer From Network” logon right is enabled and configured properly.

Method 1

1. Go to a Workstation (XP) or Windows Server
2. Open Active Directory Users and Computers.
3. Right Click on Domain Controllers OU > Property > Group Policy Tab.
4. Change the setting in there for “Log on locally” right.
5. Run PSEXEC to enforce policies on DC.

PSEXEC \\Dc_name secedit /refreshpolicy user_policy
PSEXEC \\Dc_name secedit /refreshpolicy machine_policy

6. Wait for five minutes.
7. Now try to log on to DC locally.

Everything should work.

Method 2

If problem still persists you can follow the steps listed below to manually reset it.

1. Go to a Working DC.
2. Go to SYSVOL.
3. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}         switch to this one – This is the Default DC GPO.

4. Copy the contents.
5. Access remote computers C:\ drive.
6. Switch to SYSVOL share.
7. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}        Double click to open this folder.

6. Paste the contents here.
7. Now run PSEXEC command with Secedit to enforce policies.

Please note copying GPO from one DC to another will cause your all settings to be removed.

Leave a Reply

Your email address will not be published. Required fields are marked *