This is the third of my posts about group policy for web developers [part 1] [part 2], and today's post is a from-the-trenches tail about how you can get 401.1 Access Denied as a result of applying group policy.
Mad props to Jimmie Russ and his post Access Denied 401.1 goes away temporarily after IISRESET, as it was his post that sorted my problem today.
As you will see in his post, it is possible to push out User Rights Assignment policies via a GPO that can define the following rights:
- Log on as a service
- Log on as a batch job
- Allow log on locally
- Access this computer from the network
The above list may not be complete, but it was these four that caused a problem in my IIS environment.
Two tell-tail signs that this is your problem:
- If you run the always awesome AuthDiag utility and it reports that certain local accounts (like IUSR_*) have rights missing, specifically the ones listed above.
- When you view the User Rights Assignment in Local Security Settings
- The above four rights are locked (have a little lock icon instead of the "blue 1s and 0s icon") and are not able to be edited.
- The above four rights are not granted to our local accounts (again IUSR_* et al)
Again, it may not always be exactly those four - what you are looking for are policies that will not allow your IIS accounts (as listed in the AuthDiag results) to log on.
If I had my time again, I would have cranked up the failed security events and listed them here, but my servers are working again and I like it that way so this can be left as an exercise to the reader 
As Jimmie said, the solution is to have these rights not pushed down to your web servers. This can be by not applying them in your Default Domain Policy, or by putting your web servers in a seperate OU blocking policy inheritance. If you're not sure, consult an expert.