Avatar of brisma
brisma
 asked on

How to allow setting Local Security Policies on local server that is joined to domain

I have a server joined to a domain.  I need to change settings under Local Security Policy>User Rights Assignment>Log on as a service.
When I drill down and open the Log on as a service the Add User or Group button is inactive.  I can get around this by creating a OU, blocking inheritance and adding this server to the OU.  My question, Is there a better way to do this?
Windows Server 2012Active Directory

Avatar of undefined
Last Comment
Toni Uranjek

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Toni Uranjek

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Jeremyricci

I think this will also have to a lot to do with what the domain functional level is.  If it's 2k3, if I recall correctly, the local security policy of member servers would be determined by the default domain policy.  I am pretty sure more granular control of these policies was not allowed until server 2008 functional level so the domain would need to be at least server 2008 functional level.  Having said that, if the domain functional level is 2k8 or greater, then a granular policy/GPO like explained by the above comment is probably your best bet.  If you need help figuring out what the domain functional level is, please let me know
Toni Uranjek

@Jeremyricci

Policies are processed in this order L-S-D-OU, since 2000. Functional levels do not change processing of GPO.
L - local, S - site, D - domain, OU - organizational unit.
Jeremyricci

@Toni Uranjek

Maybe I wasn't clear, my apologies.  Here's a practical example:

I have one client with domain functional level 2k3, their member servers, by default, cannot change their local security policy.  If the default domain policy is changed and gpupdate run on member server, those changes populate, but are still grayed out (even if member server is 2k8/2k8R2).

Another client with functional level of 2008, member servers can manipulate their local security policy settings.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Toni Uranjek

You can only edit local security settings, which are not overwritten.