User Right Assignment Policy Analyst

User Right Assignment don't have a "default" configuration.

This is due to the fact that these settings are modified by when certain Windows roles and features are installed. Other applications can also modify these rights, creating a situation where a one-size-fits-all definition of default would leave many systems half functional.

Further, the User Right Assignments fall into a broader category of GP settings that cannot be conveniently reverted to a default state due to an effect known as Group Policy tattooing.

You must apply your own "default" settings

If you only have a few User Rights to modify, edit the settings through the Local Group Policy editor () and refer to another workstation that has the desired rights assignments for your configuration.

If you have many User Rights to modify, then consider using the Secedit command-line tool to export the settings from a computer with the desired configuration and then apply them into the target machine. Example commands:

Export the current machine's User Rights Assignments:

Apply the exported User Rights Assignments to the local machine:

More Information

  • This Microsoft support article explains why it's not possible to restore Windows Security settings to a so-called default state and offers some possible workarounds.

  • This and this article discuss Group Policy tattooing and its implications for Windows Security Settings.

We have a process where I work, where any changes to active directory GPOs are performed on test servers, backed up and then the backups applied to the live AD.

I'm in the process of amending a GPO where I want to specifically add in a user rights assignment for a user account that'll exist locally on the member servers that the GPO will apply to.

I've tried adding the word BUILTIN to the front of that user, I've tried using migtables, I've tried creating the user on the domain (but that ends up as trying to apply the user rights to the domain user of that name if he exists..).

Not sure what to do, Googling comes up with a lot of results that don't tend to lead anywhere for this scenario (local, user, group, policy all very common terms together).

Any suggested way of doing this?

windows-server-2003active-directorygroup-policyusers

asked Nov 6 '12 at 15:10

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *