Archived from groups: microsoft.public.win2000.security (
More info?)
Create an Organizational Unit for that computer. Then create a new GPO for that OU
and configure the logon locally user right to be what you want for computers in that
OU. All other Group/security policy will be inherited for computer configuration,
just that one defined user right will override both local and domain policy. Move the
computer into that OU and run secedit /refreshpolicy machine_policy /enforce on the
domain controller and then reboot your computer in the new OU and you should be in
business. You can create a new OU by selecting the domain in AD Users and computers,
right click and select new/OU. Then for the OU select properties/Group Policy - new
to create a new GPO linked to that OU. Name it appropriate and select edit to modify
it. You then need to go to computer configuration/Windows settings/security
settings/local policies/user rights. --- Steve
"Zack Schneeberger" <schneebie1@hotmail.com> wrote in message
news:a2aa04c0.0409200812.5bc78836@posting.google.com...
> When I run gpresult /C is get this (along with other info but this
> important stuff:
>
> ===============================================================
> The computer received "Security" settings from these GPOs:
>
> Local Group Policy
> Default Domain Policy
>
> So I see I can add 'Log On Locally' rights at the Default Domain
> Policy but I don't want to do that because it will allow those users
> to log into every computer in the domain. BAD. I just want one set of
> users to log in locally into this one computer so I should be able to
> go into 'Local Group Policy' and add the group right? But I cannot.
> Any nothing is denying anyone rights.
>
> I want just one set of users to be able to log into this one box.
>
> Zack
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<EQ_2d.64338$MQ5.7534@attbi_s52>...
>> If it is not a domain controller and you can not modify Local Security Policy for
>> that user right then there is a higher GPO applying the policy. If you run
>> gpresult
>> /c on that computer it will show you what GPO's are applying computer
>> configuration
>> and those would be the ones to check. From what you describe it may be the Domain
>> Security Policy. If you open Domain Security Policy you should be able to add
>> users/groups you want to have logon locally access. Then run secedit
>> /refreshpolicy
>> machine_policy enforce first on the domain controller and then on your server to
>> see
>> if that helps. Note that user rights can be defined without any entries which
>> means
>> the policy is enabled and no one has that user right. Group/security policy is
>> applied in this order local>site>domain>OU>child OU. If policy is applied via a
>> defined setting in multiple GPO's the last policy applied is the effective policy
>> unless GPO filtering/no override/block inheritance is used. If there are multiple
>> GPO's in a container, the GPO at the top of the list has highest priority. The
>> domain
>> controller container should be considered an OU for policy application. --- Steve
>>
>>
>> "Zack Schneeberger" <schneebie1@hotmail.com> wrote in message
>> news:a2aa04c0.0409180456.421b5096@posting.google.com...
>> > Thanks for the fast reply Steve. It is not a DC so I am guessing that
>> > it would not be configured in the Domain Controller Security Policy
>> > but rather the 'Default Domain Policy.' I checked there here is what
>> > I found:
>> > - Administrator' is the only group given permission in Allow Local
>> > Logon
>> > - There is nothing is the 'Deny Local Logon' attribute
>> >
>> > So since nothing is being denied I should still be able to add users
>> > in my 'Local Security Policy' right? But I am not able to. I have no
>> > idea why.
>> >
>> > Zack
>> >
>> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> > news:<uKK2d.209792$Fg5.22953@attbi_s53>...
>> >> If this is a domain controller it has to be configured in Domain Controller
>> >> Security
>> >> Policy. You can also use the gpresult support tool on a domain computer to see
>> >> what
>> >> "computer" configuration GPO's are applied to that computer [not user]. A GPO
>> >> from
>> >> anywhere other than local could have that policy enabled for computer
>> >> onfiguration. --- Steve
>> >>
>> >>
>> >> "Zack Schneeberger" <schneebie1@hotmail.com> wrote in message
>> >> news:a2aa04c0.0409171054.33b7b5f2@posting.google.com...
>> >> >I have spent 5 hours trying to figure out this problem. We have a
>> >> > server that is part of the Domain and is running Windows 2000 Server.
>> >> > I am trying to modify the 'Log on locally' policy setting.
>> >> >
>> >> > After I click on 'Log on locally', the 'Effective Policy Setting' for
>> >> > the groups that I want to log on locally is greyed out and unchecked.
>> >> > So that leads me to the conclusion that a Domain Level Policy is being
>> >> > pushed down right?! Well wrong! I have scanned 'Domain Security
>> >> > Policy' and the 'Default Domain Policy' and there is no reference to
>> >> > 'Deny Local Logon' to any group which is maybe why the 'Effective
>> >> > Policy Setting' is greyed out and unchecked for certain groups in the
>> >> > 'Log on locally' policy setting.
>> >> >
>> >> > Why is the 'Effective Policy Setting' greyed out and unchecked for
>> >> > groups in my 'Log on locally' policy setting? It apears that that is
>> >> > nothing denying their existance locally.
>> >> >
>> >> > Thanks in Advance,
>> >> > Zack