The problem with this method is if I define what accounts/groups can have the access right thru a GPO attached to an OU then it could cause applications that need certain user rights to not function. For instance SMS needs several user rights to function properly but since the sms client is not installed on the baseline until joining the domain then I cannot set this on the baseline. There are other service accounts depending on specialized applications that may need rights that a GPO could pull away.
I used the ntrights that Bob suggested in a batch file and it did the trick of pulling the access rights for ASPNET. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, August 04, 2005 5:10 PM To: [email protected] Subject: RE: [ActiveDir] Remove user rights You could build a security configuration template using the Security templates snap in, then either apply it to your standard image or import it in to a GPO, on the OU where the computers reside. Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: 04 August 2005 22:02 To: [email protected] Subject: [ActiveDir] Remove user rights Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
