How to allow setting Local Security Policies on local server that is joined to domain

brisma used Ask the Experts™
I have a server joined to a domain.  I need to change settings under Local Security Policy>User Rights Assignment>Log on as a service.
When I drill down and open the Log on as a service the Add User or Group button is inactive.  I can get around this by creating a OU, blocking inheritance and adding this server to the OU.  My question, Is there a better way to do this?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Leave the server in current OU.
Create new GPO.
In GPMC Remove Authenticated Users group from Security filtering section of new GPO.
Add either computer account to Security filtering or (IMHO better), create new group, add server to group and add group to Security filtering section.

If you need detailed instructions, let me know.
I think this will also have to a lot to do with what the domain functional level is.  If it's 2k3, if I recall correctly, the local security policy of member servers would be determined by the default domain policy.  I am pretty sure more granular control of these policies was not allowed until server 2008 functional level so the domain would need to be at least server 2008 functional level.  Having said that, if the domain functional level is 2k8 or greater, then a granular policy/GPO like explained by the above comment is probably your best bet.  If you need help figuring out what the domain functional level is, please let me know
Toni UranjekConsultant/Trainer


Policies are processed in this order L-S-D-OU, since 2000. Functional levels do not change processing of GPO.
L - local, S - site, D - domain, OU - organizational unit.
@Toni Uranjek

Maybe I wasn't clear, my apologies.  Here's a practical example:

I have one client with domain functional level 2k3, their member servers, by default, cannot change their local security policy.  If the default domain policy is changed and gpupdate run on member server, those changes populate, but are still grayed out (even if member server is 2k8/2k8R2).

Another client with functional level of 2008, member servers can manipulate their local security policy settings.
Toni UranjekConsultant/Trainer

You can only edit local security settings, which are not overwritten.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial