Share via

User Rights Assignment GPO has no effect after promoting Server 2022 to a domain controller

Anonymous
2024-10-10T17:07:56+00:00

I recently promoted a 2022 Windows server as a domain controller. After promotion, I cannot login over RDP or console as a domain admin. This is the 4th DC in our domain. Single forest, single domain, functional level 2016.

The other three 2019 domain controllers are fine with logging in. repadmin shows no errors and is replicating with all partners successfully.

The new DC has the same default domain controllers policy applied. I am able to enter a PSSession with the new DC and check settings. I can also connect over MMC consoles without issue.

It is in a different site, but it is well connected, and the site links are setup with a quick sync time of 15 minutes.

Here is the RSOP;

As you can see there is no definition for Allow Logon Locally or Remote Desktop Services defined. So, it is using the defaults of which Administrators is an allowed group. I also enabled diagnostic logging in the registry to make sure settings were being applied.

I have spent hours on troubleshooting, and I cannot figure out what is wrong. We have other 2022 servers that have no issue with the User Rights Assignments, so I know it is not a policy version issue (old ADMX).

I don't have any errors to go off of other than services that cannot start because the policy is not working.

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-10-10T20:39:37+00:00

    I was finally able to solve this problem. I did a secedit dump on my "broken" domain controller and noticed these entries:

    These entries come from a user rights policy that is applied to all servers (non-DC) in our domain. It seems these policies are sticky though. Since once the policy is not applied, they are not reverted. To fix this, I created a new policy that does define one of the groups I still want in the policy, "DenyLogonLocally". Once this policy was applied it overwrote the other settings, and I am now able to login. I imagine I could have updated the secedit policy manually but I wanted something in place for future server promotions, so I don't have this headache again.

    I hope this helps someone. Deny's are the worst!

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-10-10T18:29:31+00:00

    I have a bit more information to share. I noticed that on my working domain controller, in the security event log there is an entry for Remote Interactive Logon and Interactive Logon that is not present on my non-working DC.

    Working:

    Image

    Broken:

    Image

    Now trying to see if I can get any information about this discrepancy.

    0 comments
  2. Anonymous
    2024-10-10T18:40:12+00:00

    Same story with privileges. Same login user.

    Working:

    Broken:

    0 comments