In tip 2714, I described how to reset default NTFS permission.

If you have mis-altered the default User Rights, you may experience strange results. To reset the User Rights requires:

1. Backing up and then editing the GptTmpl.inf file in the Group Policy folder of the Sysvol. Mine is located at:

%SystemRoot%\sysvol\sysvol\<Domain Name>\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9\}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

To reset the User Rights replace the contents of GptTmpl.inf with one of the following, based upon your installation:

Permissions Compatible with Pre-Windows 2000 Users                                 \[Unicode\]                                 Unicode=yes                                 \[Event Audit\]                                 AuditSystemEvents = 0                                 AuditLogonEvents = 0                                 AuditObjectAccess = 0                                 AuditPrivilegeUse = 0                                 AuditPolicyChange = 0                                 AuditAccountManage = 0                                 AuditProcessTracking = 0                                 AuditDSAccess = 0                                 AuditAccountLogon = 0                                 \[Privilege Rights\]                                 SeAssignPrimaryTokenPrivilege =                                 SeAuditPrivilege =                                 SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544                                 SeBatchLogonRight =                                  SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S-1-1-0                                 SeCreatePagefilePrivilege = *S-1-5-32-544                                 SeCreatePermanentPrivilege =                                 SeCreateTokenPrivilege =                                 SeDebugPrivilege = *S-1-5-32-544                                 SeIncreaseBasePriorityPrivilege = *S-1-5-32-544                                 SeIncreaseQuotaPrivilege = *S-1-5-32-544                                 SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544                                 SeLoadDriverPrivilege = *S-1-5-32-544                                 SeLockMemoryPrivilege =                                 SeMachineAccountPrivilege = *S-1-5-11                                   SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0                                 SeProfileSingleProcessPrivilege = *S-1-5-32-544                                 SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544                                 SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544                                 SeSecurityPrivilege = *S-1-5-32-544                                 SeServiceLogonRight =                                 SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544                                 SeSystemEnvironmentPrivilege = *S-1-5-32-544                                 SeSystemProfilePrivilege = *S-1-5-32-544                                 SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544                                 SeTakeOwnershipPrivilege = *S-1-5-32-544                                 SeTcbPrivilege =                                 SeDenyInteractiveLogonRight =                                 SeDenyBatchLogonRight =                                 SeDenyServiceLogonRight =                                 SeDenyNetworkLogonRight =                                 SeUndockPrivilege = *S-1-5-32-544                                 SeSyncAgentPrivilege =                                 SeEnableDelegationPrivilege = *S-1-5-32-544                                 \[Version\]                                 signature="$CHICAGO$"                                 Revision=1                                 \[Registry Values\]                                 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
NOTE: If IIS is installed, add:
   SeBatchLogonRight = IWAM_<servername>,IUSR_<servername>                                 SeInteractiveLogonRight = IUSR_<servername>                                 SeNetworkLogonRight = IWAM_<servername>,IUSR_<servername>
NOTE: If Terminal Services is installed, add:
   SeInteractiveLogonRight = TsInternetUser                               Permissions Compatible Only with Windows 2000 Users                                 \[Unicode\]                                 Unicode=yes                                  \[Event Audit\]                                 AuditSystemEvents = 0                                 AuditLogonEvents = 0                                 AuditObjectAccess = 0                                 AuditPrivilegeUse = 0                                 AuditPolicyChange = 0                                 AuditAccountManage = 0                                 AuditProcessTracking = 0                                 AuditDSAccess = 0                                   AuditAccountLogon = 0                                 \[Privilege Rights\]                                 SeAssignPrimaryTokenPrivilege =                                 SeAuditPrivilege =                                 SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544                                 SeBatchLogonRight =                                  SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S-1-1-0                                 SeCreatePagefilePrivilege = *S-1-5-32-544                                 SeCreatePermanentPrivilege =                                 SeCreateTokenPrivilege =                                 SeDebugPrivilege = *S-1-5-32-544                                 SeIncreaseBasePriorityPrivilege = *S-1-5-32-544                                 SeIncreaseQuotaPrivilege = *S-1-5-32-544                                 SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544                                 SeLoadDriverPrivilege = *S-1-5-32-544                                 SeLockMemoryPrivilege =                                 SeMachineAccountPrivilege = *S-1-5-11                                 SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0                                 SeProfileSingleProcessPrivilege = *S-1-5-32-544                                 SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544                                 SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544                                 SeSecurityPrivilege = *S-1-5-32-544                                 SeServiceLogonRight =                                 SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544                                 SeSystemEnvironmentPrivilege = *S-1-5-32-544                                 SeSystemProfilePrivilege = *S-1-5-32-544                                 SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544                                 SeTakeOwnershipPrivilege = *S-1-5-32-544                                 SeTcbPrivilege =                                 SeDenyInteractiveLogonRight =                                 SeDenyBatchLogonRight =                                 SeDenyServiceLogonRight =                                 SeDenyNetworkLogonRight =                                 SeUndockPrivilege = *S-1-5-32-544                                 SeSyncAgentPrivilege =                                 SeEnableDelegationPrivilege = *S-1-5-32-544                                 \[Version\]                                 signature="$CHICAGO$"                                 Revision=1                                 \[Registry Values\]                                 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
NOTE: If IIS is installed, add:
   SeBatchLogonRight = IWAM_<servername>,IUSR_<servername>                                 SeInteractiveLogonRight = IUSR_<servername>                                 SeNetworkLogonRight = IWAM_<servername>,IUSR_<servername>
NOTE: If Terminal Services is installed, add:
   SeInteractiveLogonRight = TsInternetUser
2. Save and close the GptTmpl.inf file.

3. Increment the group policy version by opening the Gpt.ini file at %SystemRoot%\sysvol\sysvol\<Domain Name>\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9\}. It is best to multiply the version by 10 to insure it does not become outdated before the policy can be applied.

4. Save and close the Gpt.ini file.

5. Open a CMD prompt and type:

secedit /refreshpolicy machine_policy /enforce.

6. Check the Application event log for Event ID 1704, to verify that the policy has been propogated.