A. Some tools might use network API calls even though you run the tools locally. As a result, if the user doesn't have the right to access the computer from the network, the tool will fail. This problem affects the following administrative tools:
- The Microsoft Management Console (MMC) Active Directory Sites and Services snap-in
- The Active Directory Users and Computers snap-in
- The Active Directory Domains and Trusts snap-in
- Dcdiag
- DNS Manager
- Dsacls
- Group Policy Editor (GPE)
- Ldp
- License Manager
- Netdiag
- Repadmin
- Replmon
To resolve the problem, perform the following steps:
- Navigate to the folder
\%systemroot%\Sysvol\Sysvol\Domainname\Policies\<Policy GUID>\Machine\Microsoft\Windows NT\Secedit
for the policy affecting the "Access this computer from the network" user right and locate and open the gpttmpl.inf file. To determine the correct policy, you'll need to identify the appropriate globally unique identifier (GUID) for the policy. You can determine a policy's GUID by opening the Active Directory Users and Computers snap-in, displaying the container's Properties dialog box, clicking the Group Policy tab, then viewing the policy's properties. Because the Active Directory Users and Computers snap-in might not be accessible, you'll probably have to manually view each policy's GUID to identify the correct Group Policy Object (GPO).
- From the gpttmpl.inf file, copy everything after "SeInteractiveLogonRight=". The string of values will look similar to
SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544,*S-1-5-21-907700337-3330534744-2079332775-1003
- Paste the string of values you copied from the SeInteractiveLogonRight line after the equals sign in the "SeNetworkLogonRight=" line in the gpttmpl.inf file.
- Save the changes, then close the gpttmpl.inf file.
- Locate and open the gpt.ini file at the following folder:
\%systemroot%\Sysvol\Sysvol\Domainname\Policies\<Policy GUID>
- Increase the version number. For example, change
[General]
Version=1
to
[General]
Version=2
- Save and close the file.
- Force a replication of the GPO by opening a command session and typing
secedit /refreshpolicy machine_policy /enforce
You'll now be able to use GPE to reset access for the "Access this computer from the network" user right, which is located under Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. The default access would typically include Administrators, Enterprise Domain Controllers, and Everyone.
Register
