"Log on as a Batch Job" Locked Out in Local Group Policies
Michael E. McAteer
allow 2 accounts this priviledge. We have the need to enable a local user
account the same priviledge on one server for an application. I cannot edit
tat line of Local Group Policies on any machine. Every line in "User Rights
Assignment" has a typical icon that looks like a page with binary on it,
except "Log on as a batch job", it has an icon that looks like 2 computers.
If I open it to edit it all fields are greyed out. Normally I would use a
domain policy to do this, however this is for an application that is only
installed on that computer and the acount for that application is a local
computer account. This is a member server, not a domain controller. I have
looked at this local group policy setting on multiple machines and it is the
same, all options are greyed out on all computers I've looked at for that
particular setting, "Log on as a batch job". None of our domain policies are
set to "Enforce". Any ideas? Is this locked for a reason? Can I Unlock it on
this server?
Thanks in advance for any help or advice,
--
Michael E. McAteer
Network Engineer
MCSA, MCSE, CNA, A+
Florian Frommherz [MVP]
Michael E. McAteer schrieb:
Even if you looked at the domain policies, my guess is that there's some
policy that configures the "Log on as a batch job" policy so that it is
disabled on the clients.
Run rsop.msc and gpresult.exe on the client to see if there is an active
policy that dictats that setting.
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Henrik Johansson
message news:4B2197DE-29A2-47D6...@microsoft.com...
Normal behaviour when defining settings through GPO.
You stated that you've defined the setting in the 'default domain policy'.
Local policy has lowest priority and settings will be overwritten if they're
defined in a GPO linked to site,domain or OU.
Create a new GPO and define the modified setting in it.
Place the server in a new sub-OU and link the GPO to it, or link the GPO to
a higher level and modify the ACL for the GPO to only allow apply for the
single server.
/Henrik
Michael E. McAteer
default domain GPO but this particular account is a local account palced by a
software install. I can't give a local account rights in a domain policy. I
thought if I could configure it in a local policy it would simply merge with
the users in the domain policy? However since I do have it defined in the
default domain policy I can't edit that setting in the local policy. Is this
correct or is something else preventing me from adding a local account in the
local GP? I can't seem to find anything ecept the default domain policy that
has anything defined for that setting.
Thanks again,
--
Michael E. McAteer
Network Engineer
MCSA, MCSE, CNA, A+
Henrik Johansson
> So is this a Policy that cannot be merged? Yes I have it defined in our
> default domain GPO but this particular account is a local account palced
> by a
> software install. I can't give a local account rights in a domain policy.
> I
> thought if I could configure it in a local policy it would simply merge
> with
> the users in the domain policy? However since I do have it defined in the
> default domain policy I can't edit that setting in the local policy. Is
> this
> correct or is something else preventing me from adding a local account in
> the
> local GP? I can't seem to find anything ecept the default domain policy
> that
> has anything defined for that setting.
As you've defined the setting in the domain policy, you nead to configure
the setting in a GPO linked to the OU-level to *override* the setting
defined in the domain policy.
Enter the username (or groupname) without domain-reference in the policy to
refer to a local account.
/Henrik
> Thanks again,
> --
> Michael E. McAteer
> Network Engineer
> MCSA, MCSE, CNA, A+
>
>