Solved

Windows 2008 Server - "Log on as batch job", cant add user.

Posted on 2008-10-18
5
17,093 Views
Last Modified: 2013-04-19
Hi guys. I have just changed the default identity for my Website's application pool. The reason ive done this is to run the site's scripts as a specific user so it has specific access to files.

Once change the Application Pool identity from NetworkService to my user, I have to give it the "Log on as batch job" right using the local security policy editor. I get to the screen, and the button to add a user is greyed out!

However, in the list already are 3 groups..Administrators, Backup Operators and Performance Log Users. So, for a quick bit of debugging, i added my user to the 'Performance Log Users'  group using Active Directory and it works perfectly. However, this is not ideal as the 'Performance Log Users', has nothing to do with running a web apps!

So in breif, how can I add the user to the "log on as batch job" user rights list when it is greyed out?
I have attached a screenshot.
runasbatch.jpg
0
Comment
Question by:firefoxchris
  • 2
5 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 450 total points
Comment Utility
The user right is configured by a GPO. Run RSOP.msc to verify what GPO is configuring the setting.
Edit the GPO by using GPMC.msc to add the users.
If the affecting GPO is linked to a higher OU-level, it would be better to create a new GPO and link it to the OU with the IIS to not lowering security on other servers that shall not be affected. Keep in mind that the new GPO will override the previous GPO and you nead to add all authorized users in the new GPO if you don't want to remove the user right from the other users.
0
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 50 total points
Comment Utility
Yeah henjoh09 is correct....you can move this machine to a different OU and create a new GPO and define this settings
0
 

Author Comment

by:firefoxchris
Comment Utility
Thanks for the info guys. However, some of that explanation is a bit over my head. Could you explain it possibly in kre simple terms? Im not a massive user of group policy editor and dont fully understand how it is structured.
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 450 total points
Comment Utility
You use RSOP.msc (Resultant Set Of Policies) in logging mode to validate what GPO is affecting the policy setting.
\Computer Configuration\Windows Settings\Security Settings\Local Settings\User Rights Assignment\Log on as batch job

In ADUC (Active Directory Users and Computers, create if necessary a new OU and place the server in that OU.

Start GPMC (Group Policy Management Console)
Expand forest\domains\domainname to see all top-level OUs, any GPOs linked to domain level and a section named "Group Policy Objects".
Expand "Group Policy Objects" to see all existing GPOs in the current domain.
Right-click on "Group Policy Objects" and choose New to create a new GPO or right-click on the one you want to modify and choose Edit.
In the Group Policy editor, browse down to the policy and add the users you want to have the right to log on as batch job. If creating a new GPO, keep in mind that it will override the old one and not append the setting.
\Computer Configuration\Windows Settings\Security Settings\Local Settings\User Rights Assignment\Log on as batch job
If created a new GPO, navigate in GPMC through the OU-structure and link the GPO to the OU by right-clicking the OU and choose "Link an existing GPO"

Log on to the server and run gpupdate to apply the policy.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now