User Rights Assignment Back To Not Defined

1

Is it possible to put a Local Policy User Rights Assignment back to Not Defined? There is not a checkbox to mark it as Not Defined. Is it possible to set any of the User Rights Assignments back to Not Defined?

I am trying to find an area of a Group Policy that is causing an issue with the installation of a Windows Feature. I have removed the computer from the domain and many parts of the GPO remains on the computer including User Rights Assignment. I am suspicious that this is causing the error I am getting. I would like to go through the User Rights Assignment to see what is causing the issue. If I can se it back to Not Defined per item them I can see what is causing the issue. But I do not see a way to check a box to put it back. I can remove everyone from the list of users/groups but that just makes the list blank and doesn't set it to Not Configured.

JukEboX

Posted 2017-09-08T20:06:53.903

Reputation: 371

If a local policy is configured as "Not Defined", it means the current value is the default value, which is either the value for enabled or the value for disabled. There a reason you cannot simply just set the value of the policy back to "not defined' using the group policy editor? Encourage you to provide more information, perhaps even explain what problem you are trying to solve, so we can answer your question. – Ramhound – 2017-09-08T20:10:22.953

@Ramhound I added some information. I am trying to find a piece of URS causing errors on the installation of a windows server feature. – JukEboX – 2017-09-08T20:28:41.920

Tell us the exact policy. What it modified in the registry should be easy to determine removing the keys will be how this is done – Ramhound – 2017-09-08T21:32:51.713

Answers

0

User Right Assignment don't have a "default" configuration.

This is due to the fact that these settings are modified by when certain Windows roles and features are installed. Other applications can also modify these rights, creating a situation where a one-size-fits-all definition of default would leave many systems half functional.

Further, the User Right Assignments fall into a broader category of GP settings that cannot be conveniently reverted to a default state due to an effect known as Group Policy tattooing.

You must apply your own "default" settings

If you only have a few User Rights to modify, edit the settings through the Local Group Policy editor (gpedit.msc) and refer to another workstation that has the desired rights assignments for your configuration.

If you have many User Rights to modify, then consider using the Secedit command-line tool to export the settings from a computer with the desired configuration and then apply them into the target machine. Example commands:

Export the current machine's User Rights Assignments:

Secedit /export /db SecDbContoso.sdb /mergedpolicy /cfg SecContoso.inf /areas User_Rights

Apply the exported User Rights Assignments to the local machine:

secedit /configure /db SecDbContoso.sdb /cfg SecContoso.inf /areas User_Rights /overwrite

More Information

  • This Microsoft support article explains why it's not possible to restore Windows Security settings to a so-called default state and offers some possible workarounds.

  • This and this article discuss Group Policy tattooing and its implications for Windows Security Settings.

I say Reinstate Monica

Posted 2017-09-08T20:06:53.903

Reputation: 21 477

Asked: 2017-09-08T20:06:53.903

Viewed: 1 001 times

Active: 2017-09-09T02:07:28.593