Avishay,
First question, in the "Effective Rights" column, is 'Deny' explicitly
checked (even though it is grayed out)?
You'll have to trace up the OU tree to find where the right is Denied (in a
GPO) or use a tool such as Fazam 2000.
If it is, this is being inherited either from a policy set at the DC
container or from a policy set at a higher container such as the Domain
container. As someone else mentioned, if Deny is set at one of these levels
you will not be able to grant the right to any users. You may want to
create a group and apply a GPO that explicitly Denies members of a group
such as 'All Users' that permission then Allow 'Apply Group Policy'. Then
Deny the 'Apply Group Policy' to Domain Admins.
Mindy Tabin
-----Original Message-----
From: Balderman, Avishay [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 12:52 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] How do I grant user with rights to "logon as a service"
on local machine.
When I change the "logon account" for a service on an Active Directory DC
machine to a specific user,
I get a message saying that the user was granted with rights to logon as a
service.
I want to grant this right manually without setting the user as a logon
account to a service.
If I go to the Local Computer Policy, and look for the "Logon as a service"
right, there are two columns:
1. Local Policy Setting
2. Effective Policy Setting
The effective setting is read only and cannot be changed, but this is the
right that is needed to be updated.
Can anybody tell me how to turn on the "Effective" right?
Thank you,
Avishay Balderman
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
