How to allow setting Local Security Policies on local server that is joined to domain
I have a server joined to a domain. I need to change settings under Local Security Policy>User Rights Assignment>Log on as a service.
When I drill down and open the Log on as a service the Add User or Group button is inactive. I can get around this by creating a OU, blocking inheritance and adding this server to the OU. My question, Is there a better way to do this?
When I drill down and open the Log on as a service the Add User or Group button is inactive. I can get around this by creating a OU, blocking inheritance and adding this server to the OU. My question, Is there a better way to do this?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Leave the server in current OU.
Create new GPO.
In GPMC Remove Authenticated Users group from Security filtering section of new GPO.
Add either computer account to Security filtering or (IMHO better), create new group, add server to group and add group to Security filtering section.
If you need detailed instructions, let me know.
Create new GPO.
In GPMC Remove Authenticated Users group from Security filtering section of new GPO.
Add either computer account to Security filtering or (IMHO better), create new group, add server to group and add group to Security filtering section.
If you need detailed instructions, let me know.
I think this will also have to a lot to do with what the domain functional level is. If it's 2k3, if I recall correctly, the local security policy of member servers would be determined by the default domain policy. I am pretty sure more granular control of these policies was not allowed until server 2008 functional level so the domain would need to be at least server 2008 functional level. Having said that, if the domain functional level is 2k8 or greater, then a granular policy/GPO like explained by the above comment is probably your best bet. If you need help figuring out what the domain functional level is, please let me know
@Jeremyricci
Policies are processed in this order L-S-D-OU, since 2000. Functional levels do not change processing of GPO.
L - local, S - site, D - domain, OU - organizational unit.
Policies are processed in this order L-S-D-OU, since 2000. Functional levels do not change processing of GPO.
L - local, S - site, D - domain, OU - organizational unit.
@Toni Uranjek
Maybe I wasn't clear, my apologies. Here's a practical example:
I have one client with domain functional level 2k3, their member servers, by default, cannot change their local security policy. If the default domain policy is changed and gpupdate run on member server, those changes populate, but are still grayed out (even if member server is 2k8/2k8R2).
Another client with functional level of 2008, member servers can manipulate their local security policy settings.
Maybe I wasn't clear, my apologies. Here's a practical example:
I have one client with domain functional level 2k3, their member servers, by default, cannot change their local security policy. If the default domain policy is changed and gpupdate run on member server, those changes populate, but are still grayed out (even if member server is 2k8/2k8R2).
Another client with functional level of 2008, member servers can manipulate their local security policy settings.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial