AD DS: This domain controller must have "Access this Computer from the Network" granted to the appropriate security principals

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

Issue

Domain Controller <DC-Name> does not have user right “Access this computer from the network” granted to ‘Builtin Administrators,’ ‘Enterprise Domain Controllers,’ or ‘Authenticated Users,’ or have the user right “Deny Access to this computer from the network” assigned to either of those groups or ‘Everyone.’

Impact

Replication operations initiated by other domain controllers in the domain or by administrators may fail. Users and computers may also experience failure to apply Group Policy objects.

Two of the most common root causes of domain controller replication failure are not having the “Access this computer from the network” user right granted to the ‘Builtin Administrators,’ ‘Enterprise Domain Controllers,’ or ‘Authenticated Users’ security groups or having the ‘Enterprise Domain Controllers,’ ‘Everyone,’ ‘Builtin Administrators,’ or ‘Authenticated Users’ security groups in the settings of the “Deny access to this computer from network” user right. Any domain controller trying to replicate from a domain controller with the aforementioned policy setting may fail, and users and computers may also experience failure to apply Group Policy objects.

Resolution

Verify that the domain controllers in the domain <domainName> have this user right granted to the appropriate security principals. Using Group Policy Management and Group Policy Results, verify that the winning Group Policy for the “Access this computer from the network” user right grants that right to the ‘Builtin Administrators,’ ‘Enterprise Domain Controllers,’ and ‘Authenticated Users’ groups. Verify that the policy setting “Deny access to this computer from the network” does not have ‘Everyone,’ ‘Authenticated Users,’ ‘Builtin Administrators,’ or ‘Enterprise Domain Controllers’ groups defined in it.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To verify that the Builtin\Administrators, NT Authority\Enterprise Domain Controllers, and Authenticated Users groups are defined in the policy setting “Access this computer from the network” (using Group Policy Results)

  1. Log on to the domain controller as a member of the Domain Admins group.

  2. Click Start, click Administrative Tools, and then click Group Policy Management.

  3. Expand Forest: <forest name>, right-click Group Policy Results, and then click Group Policy Results Wizard.

  4. On the Welcome page, click Next.

  5. Click This computer, and then click Next.

  6. Click Do not display user policy settings in the results (display computer policy settings only), and then click Next.

  7. On the Summary page, click Next, and then click Finish.

  8. Click Settings, and then click show all.

  9. Verify that the groups BUILTIN\Administrators, NT Authority\Enterprise Domain Controllers, and Authenticated Users are defined in the Access this computer from the network policy setting under the following node:

    Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies\User Rights Assignment

  10. Note the value of the winning GPO for this policy setting if it is defined.

If necessary, use the following procedure to define the Builtin\Administrators, NT Authority\Enterprise Domain Controllers, and Authenticated Users groups to the policy setting Access this computer from the network.

To define the Builtin\Administrators, NT Authority\Enterprise Domain Controllers, and Authenticated User groups in the policy setting “Access this computer from the network”

  1. Log on to the domain controller as a member of the Domain Admins group.

  2. Click Start, click Administrative Tools, and then click Group Policy Management.

  3. Expand Forest: <forest name>, expand Domains, <domain name>, and then expand the Group Policy Objects folder.

  4. If the Access this computer from the network policy setting was not defined for this domain controller, right click the Default Domain Controllers GPO, otherwise, right-click the winning GPO that you noted in step 10 of the procedure immediately above this one, and then click Edit.

  5. In the console tree, expand the following node:

    Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment

  6. In the details pane, double-click Access this computer from the network.

  7. Click Add User or Group, click Browse, type Administrators;Enterprise Domain Controllers;Authenticated Users and then click OK.

To verify that the Builtin\Administrators, NT Authority\Enterprise Domain Controllers, Everyone, or Authenticated Users groups are not in the policy setting “Deny access to this computer from the network”

  1. Log on to the domain controller as a member of the Domain Admins group.

  2. Click Start, click Administrative Tools, and then click Group Policy Management.

  3. Expand Forest: <forest name>, right-click Group Policy Results, and then click Group Policy Results Wizard.

  4. On the Welcome page, click Next.

  5. Click This computer, and then click Next.

  6. Click Do not display user policy settings in the results (display computer policy settings only), and then click Next.

  7. On the Summary page, click Next, and then click Finish.

  8. Click Settings, and then click show all.

  9. Verify that either the policy setting Deny access to this computer from the network is not listed in the Resultant Set of Policies, or the security groups Builtin\Administrators, NT Authority\Enterprise Domain Controllers, Everyone, or Authenticated Users are not defined in the policy settings of the, Deny access to this computer from the network user right, located under the following node:

    Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies\User Rights Assignment

  10. If any of these security groups is defined in the policy setting of the Deny access to this computer from the network user right, note the value for the winning GPO for this policy setting, then proceed to step 11. If none of those security groups is defined in the policy setting, then you should now be in a compliant state.

  11. In the group policy management console, expand Forest: <forest name>, expand Domains, <domain name>, and then expand the Group Policy Objects folder.

  12. Right-click the winning GPO that you noted in step 10, and then click Edit.

  13. In the console tree, expand the following node:

    Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment

  14. In the details pane, double-click Deny access to this computer from the network.

  15. Select Administrators, Domain Controllers, Everyone and Authenticated Users as appropriate, click Remove, and then click OK.

If issues pertaining to domain controller replication are still occurring, verify that the security groups, Builtin\Administrators, NT Authority\Enterprise Domain Controllers, Everyone, and Authenticated Users, are not defined in the domain controller’s local GPO policy setting, Deny access to this computer from the network.

To verify that the Builtin\Administrators, NT Authority\Enterprise Domain Controllers, Everyone, or Authenticated Users groups are not defined in the local GPO policy setting “Deny access to this computer from the network”

  1. Click Start, click Run, type gpedit.msc, and then click OK.

  2. In the console tree, expand the following node:

    Computer Configuration | Policies | Windows Settings | Security Settings | LocalPolicies | User Rights Assignment

  3. In the details pane, double-click Deny access to this computer from the network.

  4. Verify that the security groups Builtin\Administrators, NT Authority\Enterprise Domain Controllers, Everyone, or Authenticated Users are not defined in this policy setting.