Hi Mark
The default domain controller policy also sets the rights to log on
locally. We were attempting to deny logon local rights to our Service
accounts, and found that this GPO overrides the one we put in to deny the
service account group to log on locally (apparently GPO does not let the
same setting in two different GPOs to merge - either one wins for that
specific setting or the other wins for that setting). We ended up making
the changes to the default domain controller GPO and it then allowed us to
deny our service accounts terminal and local logon rights. It seems to
work now.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
Al Lilianstrom
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
v> cc: (bcc: James
Day/Contractor/NPS)
Sent by: Subject: Re: [ActiveDir] Logging
on to a Domain Controller
[EMAIL PROTECTED]
tivedir.org
09/13/2004 07:54 AM EST
Please respond to
ActiveDir
Are they attempting to log on via the console or by Terminal Services?
If the later did you grant them access in the Terminal Server configuraton?
al
Abbiss, Mark wrote:
> I am going round in circles and am now completely confused !
>
> I would like to give a group of our 2nd level administrators the ability
> to log on to all Domain Controllers. I have applied a group policy to
> the "Domain Controllers " OU which sets the "Computer configuration ->
> windows settings -> security settings -> local policies -> user rights
> assignment " to give this group "Log on locally" rights. I have also
> ensured that the group policy is applied to all authorised users. I have
> no problem logging on as I am an Enterprise Admin, however, the other
> admins are denied the ability to log on.
>
> Therefore, I modified the local DC security settings to give the
> same group the "Log on locally" right. Still they cannot log on.
>
> Please, what could I be missing ? Do I need to set access rights
> anywhere else ? Can I do anything to troubleshoot what rights this group
> is getting ?
>
> Many thanks for any help.
--
Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
