DC must have "Access this computer from network" granted. I need help fixing this

I need help on exactly how to fix this error. See attached. I read the "Resolution" at the bottom, but it's not clear on exactly how to do it.

I would appreciate exact steps, please.



Do you get this error on member computer of the domain? If yes, is the computer added to the domain?



Do you get this error on member computer of the domain? If yes, is the computer added to the domain?



It is a DC 2008 R2



Follow the below steps one by one:-

To verify that the BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, and Authenticated Users groups are defined in the policy setting “Access this computer from the network” (using Group Policy Results)

Log on to the domain controller as a member of the Domain Admins group.
Click Start, click Administrative Tools, and then click Group Policy Management.
Expand Forest: , right-click Group Policy Results, and then click Group Policy Results Wizard.
On the Welcome page, click Next.
Click This computer, and then click Next.
Click Do not display user policy settings in the results (display computer policy settings only), and then click Next.
On the Summary page, click Next, and then click Finish.
Click Settings, and then click show all.
Verify that the groups BUILTINAdministrators, NT AuthorityEnterprise Domain Controllers, and Authenticated Users are defined in the Access this computer from the network policy setting under the following node:Computer Configuration | Policies | Windows Settings | Security Settings | Local PoliciesUser Rights Assignment
Note the value of the winning GPO for this policy setting if it is defined.
If necessary, use the following procedure to define the BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, and Authenticated Users groups to the policy setting Access this computer from the network.

To define the BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, and Authenticated User groups in the policy setting “Access this computer from the network”

Log on to the domain controller as a member of the Domain Admins group.
Click Start, click Administrative Tools, and then click Group Policy Management.
Expand Forest: , expand Domains, , and then expand the Group Policy Objects folder.
If the Access this computer from the network policy setting was not defined for this domain controller, right click the Default Domain Controllers GPO, otherwise, right-click the winning GPO that you noted in step 10 of the procedure immediately above this one, and then click Edit.
In the console tree, expand the following node:Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment
In the details pane, double-click Access this computer from the network.
Click Add User or Group, click Browse, type Administrators;Enterprise Domain Controllers;Authenticated Users and then click OK.

To verify that the BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, Everyone, or Authenticated Users groups are not in the policy setting “Deny access to this computer from the network”

Log on to the domain controller as a member of the Domain Admins group.
Click Start, click Administrative Tools, and then click Group Policy Management.
Expand Forest: , right-click Group Policy Results, and then click Group Policy Results Wizard.
On the Welcome page, click Next.
Click This computer, and then click Next.
Click Do not display user policy settings in the results (display computer policy settings only), and then click Next.
On the Summary page, click Next, and then click Finish.
Click Settings, and then click show all.
Verify that either the policy setting Deny access to this computer from the network is not listed in the Resultant Set of Policies, or the security groups BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, Everyone, or Authenticated Users are not defined in the policy settings of the, Deny access to this computer from the network user right, located under the following node:Computer Configuration | Policies | Windows Settings | Security Settings | Local PoliciesUser Rights Assignment
If any of these security groups is defined in the policy setting of the Deny access to this computer from the network user right, note the value for the winning GPO for this policy setting, then proceed to step 11. If none of those security groups is defined in the policy setting, then you should now be in a compliant state.
In the group policy management console, expand Forest: , expand Domains, , and then expand the Group Policy Objects folder.
Right-click the winning GPO that you noted in step 10, and then click Edit.
In the console tree, expand the following node:Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment
In the details pane, double-click Deny access to this computer from the network.
Select Administrators, Domain Controllers, Everyone and Authenticated Users as appropriate, click Remove, and then click OK.
If issues pertaining to domain controller replication are still occurring, verify that the security groups, BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, Everyone, and Authenticated Users, are not defined in the domain controller’s local GPO policy setting, Deny access to this computer from the network.
To verify that the BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, Everyone, or Authenticated Users groups are not defined in the local GPO policy setting “Deny access to this computer from the network”

Click Start, click Run, type gpedit.msc, and then click OK.
In the console tree, expand the following node:Computer Configuration | Policies | Windows Settings | Security Settings | LocalPolicies | User Rights Assignment
In the details pane, double-click Deny access to this computer from the network.
Verify that the security groups BuiltinAdministrators, NT AuthorityEnterprise Domain Controllers, Everyone, or Authenticated Users are not defined in this policy setting.



I added Enterprise Domain Controllers. See attached. Please verify this is now correct.



Yes it looks ok, I assume you added the "Enterprise Domain Controllers" from add users or group tab.

Share this

Related Posts

There was an error in this gadget