brisma
asked on
How to allow setting Local Security Policies on local server that is joined to domain
I have a server joined to a domain. I need to change settings under Local Security Policy>User Rights Assignment>Log on as a service.
When I drill down and open the Log on as a service the Add User or Group button is inactive. I can get around this by creating a OU, blocking inheritance and adding this server to the OU. My question, Is there a better way to do this?
When I drill down and open the Log on as a service the Add User or Group button is inactive. I can get around this by creating a OU, blocking inheritance and adding this server to the OU. My question, Is there a better way to do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think this will also have to a lot to do with what the domain functional level is. If it's 2k3, if I recall correctly, the local security policy of member servers would be determined by the default domain policy. I am pretty sure more granular control of these policies was not allowed until server 2008 functional level so the domain would need to be at least server 2008 functional level. Having said that, if the domain functional level is 2k8 or greater, then a granular policy/GPO like explained by the above comment is probably your best bet. If you need help figuring out what the domain functional level is, please let me know
@Jeremyricci
Policies are processed in this order L-S-D-OU, since 2000. Functional levels do not change processing of GPO.
L - local, S - site, D - domain, OU - organizational unit.
Policies are processed in this order L-S-D-OU, since 2000. Functional levels do not change processing of GPO.
L - local, S - site, D - domain, OU - organizational unit.
@Toni Uranjek
Maybe I wasn't clear, my apologies. Here's a practical example:
I have one client with domain functional level 2k3, their member servers, by default, cannot change their local security policy. If the default domain policy is changed and gpupdate run on member server, those changes populate, but are still grayed out (even if member server is 2k8/2k8R2).
Another client with functional level of 2008, member servers can manipulate their local security policy settings.
Maybe I wasn't clear, my apologies. Here's a practical example:
I have one client with domain functional level 2k3, their member servers, by default, cannot change their local security policy. If the default domain policy is changed and gpupdate run on member server, those changes populate, but are still grayed out (even if member server is 2k8/2k8R2).
Another client with functional level of 2008, member servers can manipulate their local security policy settings.
You can only edit local security settings, which are not overwritten.