Basic rule[1] from W2K hasn’t changed AFAICT. [1] Security Options settings are destructive.
From: [email protected] [mailto:[email protected]] On Behalf Of Dave Lum Sent: Thursday, July 30, 2015 1:53 PM To: [email protected] Subject: RE: [NTSysADM] GPO Brain cramp - log on as a service, append perms Sorry for not being clear, but yes Bonnie and Aakash are correct, I was using domain-level GPO and it flattens the local policy settings for the same Log on as Service settings. Dave From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Thursday, July 30, 2015 1:42 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] GPO Brain cramp - log on as a service, append perms Apologies if I misunderstood, but it sounds like Dave is attempting to apply this change using a domain Group Policy (not using the local Group Policy editor) and it is being overwritten/replaced and not appended. And it sound like Charles is attempting to do this via the local GP editor (vs a domain GP). I have always noticed the same behavior, i.e. domain GP will overwrite/replace settings applied in the User Rights Assignment, but when making those changes in the Local GP editor, you can append/remove as needed. This can probably be scripted, but I’ve not found a way to append users/groups to User Rights Assignment via domain GP. If someone is aware of how to do this, I’d love to hear about it too since I’ve run across the same issue in the past. -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Thursday, July 30, 2015 1:03 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] GPO Brain cramp - log on as a service, append perms I’m not on a domain member machine right now, but I open the setting, add Groups to the object types that I need to choose from, add the local Administrators group and it holds. (The only existing principal was NT SERVICE\ALL SERVICES, but that remains along with Administrators.) From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Dave Lum Sent: Thursday, July 30, 2015 3:48 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] GPO Brain cramp - log on as a service, append perms Affirmative From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Thursday, July 30, 2015 12:16 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] GPO Brain cramp - log on as a service, append perms When you add the group to “Local Policies\User Rights Assignment\Log on as a service” it removes all other entries? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Dave Lum Sent: Wednesday, July 29, 2015 10:56 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] GPO Brain cramp - log on as a service, append perms I swear I’ve done this before but seem to be remembering it wrong. I want to give an Active Directory group permissions to log on as a service, but the GPO I create to do this flattens the existing settings on the machine itself (in my case it’s NT SERVICE\<windows internal databasename> and some others depending on the machine). What n0b step am I overlooking? Google-Fu also fails me… Dave Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender, delete this email and destroy all copies. Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender, delete this email and destroy all copies. Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender, delete this email and destroy all copies.
