If you deny someone a certain right and later on you grant him this
right (i.e. via a group membership) then the denial has always
precedence over
the granted rights.
In your case I can't really tell what is going on (or wrong). I heard of
Some Microsoft Tools from the resource kit or the server cd that can
help
You with the effective group policy. But I can't tell you more about
those
Tools.
I just had a look at my domain policy:
Open the MMC with your Active Directory User- and Computers-Settings.
Open the Group Policy for your domain.
Go to Computer Settings\Windows Settings\Security\Local Policy\User
Rights.
(these are not the real names cause I had to translate them from a
german windows)
There should be the right "Logon as a service" listed.
Try to change something here if you haven't done this yet.
This is all I can tell you about it.
-----Urspr�ngliche Nachricht-----
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] Im Auftrag von Balderman,
Avishay
Gesendet: Dienstag, 31. Juli 2001 12:43
An: [EMAIL PROTECTED]
Betreff: RE: [ActiveDir] How do I grant user with rights to "logon as a
se rvice" on local machine.
Tom-The-Bomb thank you,
I checked your suggestion, but is still not clear.
for every account, in the first time we add it to be a logon account of
a
service, we get the message that it was granted with rights to "login as
a
service".
So does it mean that all users are denied for this right in default?
I also tested all the places I know where this right is being handled,
and
could not see any "deny".
Avishay
-----Original Message-----
From: Tom-The-Bomb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 2:32 PM
To: [EMAIL PROTECTED]
Subject: AW: [ActiveDir] How do I grant user with rights to "logon as a
service" on local machine.
In Windows you can grant and deny rights. If you deny someone the right
To logon as a service and later on you grant him this right, then he'll
Still don't have the right to logon as a service. This is what the
"Effective column" says. Your "Local Policy column" probably says "grant
this Right to the specified user", but your "Effective column" doesn't
Because you denied him somewhere else this right.
Because there are local and global security policies it is very
difficult to say what policy setting is actually going to be applied to
a user. So there is the "Effective column" that tells you what the final
setting will be.
You'll have to check all your policies to find out why the right is
denied.
I guess, your user is a member of a group which this right is denied.
-----Urspr�ngliche Nachricht-----
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] Im Auftrag von Balderman,
Avishay
Gesendet: Dienstag, 31. Juli 2001 07:52
An: '[EMAIL PROTECTED]'
Betreff: [ActiveDir] How do I grant user with rights to "logon as a
service" on local machine.
When I change the "logon account" for a service on an Active Directory
DC
machine to a specific user,
I get a message saying that the user was granted with rights to logon as
a
service.
I want to grant this right manually without setting the user as a logon
account to a service.
If I go to the Local Computer Policy, and look for the "Logon as a
service"
right, there are two columns:
1. Local Policy Setting
2. Effective Policy Setting
The effective setting is read only and cannot be changed, but this is
the
right that is needed to be updated.
Can anybody tell me how to turn on the "Effective" right?
Thank you,
Avishay Balderman
List info: http://www.activedir.org/mail_list.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
