?
Solved

Adding a computers LOCAL user to a domain based group policy

Posted on 2011-02-10
3
Medium Priority
?
898 Views
Last Modified: 2012-06-21
There are two local user accounts on an end users computers which must be used to start a couple of services on the users machine.

I can't add them to the local security policy to allow them to "log in as a aservice" because the option is greyed out due to a domain based policy.

Is there a way to create a domain based policy, and add the LOCAL USER accounts to this policy so that the domain pushes out these settings?

The services will not start without these users having the log in as a service right.

I was able to work around this and found a way to add them locally but they get wiped out each time the domain policy gets applied.
0
Comment
Question by:PilotGavin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 2000 total points
ID: 34864929
Are the local user accounts members of one of the builtin groups on the local machine? (Administrators, Users etc).

I've tried this with some success in the past with the local administrators group, so I *guess* it would work with any of those built-in groups.

Edit the policy that is configuring the 'Log On as a Service' user right - Add an entry in the list (you can't browse for it, you just need to type it) that says something like BUILTIN\Administrators or BUILTIN\Users. Hopeully that will grant that group (and therefore the local accounts that are members of it) the right to log on as a service...

The pitfall is that it would be the same for ALL machines affected by this policy, which may not be ideal. If that's the case, you may need forcibly stop the 2 PCs from being able to apply this policy, and create a secondary GPO just for them, that does the above.

I'm trying to think out of the box here, I done *similar* before but never this exact thing. But maybe I've given you enough to play around and see what you can figure out?

I'd always test something like this in a separate GPO to begin with anyway, one that potentially only applies to a single test machine, as opposed to making changes to a GPO that could apply to ALL your computers without having tested the changes first!

Anyways, HTH, please post back any questions you may have...

Pete
0
 

Author Comment

by:PilotGavin
ID: 34864967
What I'll do is create an OU for JUST that machine, under it's root OU, and then apply the second policy there. Let ya know in a few minutes!
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 34865702
Cool, I'll be interested to see what happens!

The point being you can't specify those local accounts in a Domain GPO, but you *should* be able to specify one of the builtin local groups (such as Administrators), and if the local accounts are members of that group, then they should be granted the same rights as are afforded the group itself.

Anyways, I'm off to bed shortly, so you may not hear from me again until tomorrow, but good luck and I'll check back in as soon as I can to see what you found and whether you have any further questions.

Pete
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question