Domain Controller must have "Access This Computer from the Network"
Updated: Nov 2, 2020
Spinning up a shiny new 2019 server, you add the AD DS roles and promote to a domain controller. Next, you run the Best Practices Analyzer because, well you are smart. You are then presented with the following error:
Domain controller [host name] must have "Access this Computer from the Network" granted to the appropriate security principals.
In the times that I have encountered this, there are two areas to check and/or modify.
Windows Server 2012
Windows Server 2016
Windows Server 2019
Verify the correct objects are included in the "Access this computer from the network" group policy setting in the Default Domain Controllers Policy.
Click on the error in BPA and notice the names "Builtin Adminstrators, Enterprise Domain Controllers, Authenticated Users", etc..
Open the group policy management console and find the default domain controllers policy. Right-click this policy and choose edit
Within the Group Policy Management Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
In the right-pane find "Access this computer from the network" and double-click to open the policy setting
Click add, then browse and enter the names found in step 1. If the names don't resolve, do not add them. For me, I never added "Builtin Administrators" even though the error listed this object
OK your way out when you are done
Open a command prompt as an administrator and run gpupdate /force
Run the Best Practices Analyzer again. If the error persists, move on to solution #2
There may be an account that cannot resolve to a SID. This account needs to be removed from the group policy setting "Access this computer from the network" in the Default Domain Controllers Policy.
Open PowerShell as an administrator.
Enter the following command (for server 2019) $doc = C:\Windows\System32\BestPractices\v1.0\Models\Microsoft\Windows\DirectoryServices\DirectoryServices.ps1
Review the output, it will list the account that cannot resolve to a SID
Edit the setting "Access this computer from the network" and remove the account mentioned in step 2
Run the Best Practices Analyzer again. If the error persists, you have gremlins