How to allow setting Local Security Policies on local server that is joined to domain

I have a server joined to a domain.  I need to change settings under Local Security Policy>User Rights Assignment>Log on as a service.
When I drill down and open the Log on as a service the Add User or Group button is inactive.  I can get around this by creating a OU, blocking inheritance and adding this server to the OU.  My question, Is there a better way to do this?
brismaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Leave the server in current OU.
Create new GPO.
In GPMC Remove Authenticated Users group from Security filtering section of new GPO.
Add either computer account to Security filtering or (IMHO better), create new group, add server to group and add group to Security filtering section.

If you need detailed instructions, let me know.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JeremyricciCommented:
I think this will also have to a lot to do with what the domain functional level is.  If it's 2k3, if I recall correctly, the local security policy of member servers would be determined by the default domain policy.  I am pretty sure more granular control of these policies was not allowed until server 2008 functional level so the domain would need to be at least server 2008 functional level.  Having said that, if the domain functional level is 2k8 or greater, then a granular policy/GPO like explained by the above comment is probably your best bet.  If you need help figuring out what the domain functional level is, please let me know
Toni UranjekConsultant/TrainerCommented:
@Jeremyricci

Policies are processed in this order L-S-D-OU, since 2000. Functional levels do not change processing of GPO.
L - local, S - site, D - domain, OU - organizational unit.
JeremyricciCommented:
@Toni Uranjek

Maybe I wasn't clear, my apologies.  Here's a practical example:

I have one client with domain functional level 2k3, their member servers, by default, cannot change their local security policy.  If the default domain policy is changed and gpupdate run on member server, those changes populate, but are still grayed out (even if member server is 2k8/2k8R2).

Another client with functional level of 2008, member servers can manipulate their local security policy settings.
Toni UranjekConsultant/TrainerCommented:
You can only edit local security settings, which are not overwritten.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.