Why some secpol.exe buttons on 2003 server are grayed out.

I was trying to change a policy using secpol.exe in 2003 server (to "allow log on through terminal server") but the add button is grayed out.  What is the reason for this?
Who is Participating?
There are two standard GPOs created when you setup a new domain:
* the default domain policy, linked to the domain root
* the default domain controller policy, linked to the domain controllers OU
The default domain policy contains domain-wide settings; the domain controller policy contains settings that should only be applied to your DCs. You normally shouldn't edit either of these unless you really know what you're doing. It's better to create additional GPOs and add policies there.
secpol.msc and gpedit.msc only influence the local policies, which, as you've experienced, will be overridden by a group policy defined at a higher level. The security settings you can define in gpedit.msc are exactly the same you can set using secpol.msc; the gpedit console just has the security policy integrated as well. These are just two different MMCs, one of them (gpedit.msc) doing the same and a bit more than the other.
That means that there is a group policy active in your domain that defines this policy. As domain policies override local policies, you can't use the local policy to add users here. You can use gpresult.exe to find out from which policy this setting is coming from, and add the necessary group there.
r_yagueAuthor Commented:
You're right oBdA.  It's the Domain Controller Security Policy that was set.  Can you clarify the difference between the Domain Controller Security Policy and the Domain Security Policy.  Do they have the same effect? If not what takes precedence.  Another seperate question is. Are these 2 Policies associated with the secpol.msc and/or gpedit.msc?  And if they do, which is for secpol.msc and which is for gpedit.msc?

gpresult.exe is new to me...Thanks for the info.  
gpedit.msc is for the local security policy of the machine. A Group Policy Object (GPO) is applied to Local Computer (via Local Policy), Site, Domain and OU in that order  

Like r_yague mentioned, gpresult.exe is a good tool to eveluate effective permission but since you are using Windows 2003 you might as well try using the group policy management console. It lays out the order in which policies are being applied in GUI format. http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.