Search
  • Chris Keim

Domain Controller must have "Access This Computer from the Network"

Updated: Feb 24



Spinning up a shiny new 2019 server, you add the AD DS roles and promote to a domain controller. Next, you run the Best Practices Analyzer because, well you are smart. You are then presented with the following error:


Domain controller [host name] must have "Access this Computer from the Network" granted to the appropriate security principals.


In the times that I have encountered this, there are two areas to check and/or modify.


Applicable Products

  • Windows Server 2012

  • Windows Server 2016

  • Windows Server 2019


Solution #1

Verify the correct objects are included in the "Access this computer from the network" group policy setting in the Default Domain Controllers Policy.

  1. Click on the error in BPA and notice the names "Builtin Adminstrators, Enterprise Domain Controllers, Authenticated Users", etc..

  2. Open the group policy management console and find the default domain controllers policy. Right-click this policy and choose edit

  3. Within the Group Policy Management Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

  4. In the right-pane find "Access this computer from the network" and double-click to open the policy setting

  5. Click add, then browse and enter the names found in step 1. If the names don't resolve, do not add them. For me, I never added "Builtin Administrators" even though the error listed this object

  6. OK your way out when you are done

  7. Open a command prompt as an administrator and run gpupdate /force

  8. Run the Best Practices Analyzer again. If the error persists, move on to solution #2

Solution #2

There may be an account that cannot resolve to a SID. This account needs to be removed from the group policy setting "Access this computer from the network" in the Default Domain Controllers Policy.

  1. Open PowerShell as an administrator.

  2. Enter the following command (for server 2019) $doc = C:\Windows\System32\BestPractices\v1.0\Models\Microsoft\Windows\DirectoryServices\DirectoryServices.ps1

  3. Review the output, it will list the account that cannot resolve to a SID

  4. Edit the setting "Access this computer from the network" and remove the account mentioned in step 2

  5. Run the Best Practices Analyzer again. If the error persists, you have gremlins

0 views

©2018 by ChristopherKeim. Proudly created with Wix.com