RE: Local security getting overwritten

---

• From: Scott S. <ScottS@xxxxxxxxxxxxxxxx>
• Date: Wed, 24 May 2006 05:04:02 -0700

---

Jeffrey,

When someone is asking for help, I've never quite understood why many people
refuse to answer the questions asked, but instead try to tell them they don't
need to do that, or ask detailed reasons for their need before giving them
help ... I can tell from reading these forums for years that it can be quite
frustrating to them ... and now for me too. Here are the answers your
questions so hopefully you or someone else might actually try to answer my
questions:

I am the Domain Admin on our production and test networks. If I had known
about calls like these years ago, I would have tried adding them to scripts
to speed up many of the tedious and involved tasks that come up over and over
.... but that isn't the point. The real need is for use in a configuration
tool that is used during and after installation of a product we developed and
sell. We hope to sell many many copies and many of our target niches are
small businesses where they are unlikely to have full time IS personnel.

Our experience has been that many of them hired a company to come in and get
them setup and then they take care of their own systems after that, except
when things they can't handle come up. They know their Domain Admin
passwords to do simplae things like adding users, installings applications,
backing up, etc., but they don't know how to do the thousands of more unusual
things.

I don't want the installation of our application to be a trial for our
customers requiring them to bring in outside assistance at an extra cost, and
we are also a small company and can afford to send someone onsite for
installation. I have added extensively to the configuration tool so that is
creates domain user accounts and groups, creates file shares, sets up COM+
applications and does all the DCOM security configuration. All done in a
nice it little program that explains what is going on in terms of our
application and lets the customer make their choices in termiology they
understand. It is a very involved bit of automation. The only remaining
piece it setting the domain level policy ...

Anyone care to offer help?

Scott

""Jeffrey Tan[MSFT]"" wrote:

Hi Scott,

Thanks for your feedback!

In this scenario, the Domain Policy conflicts with your server application
account requirement. So I think the suitable solution is notifying your
domain admin to change the domain policy, which allows your server
application running account to have 'Log on as batch job' right.

Writing a configuration tool to change the domain policy is not the best
solution in current situation. This is because changing the Domain Policy
requires Domain Admin right. If you have Domain Admin right, it is simpler
to use your domain admin right to run Group Policy Object Editor tool to
change that domain policy than writing another tool.

So, I think you'd better contact the domain admin (or you can do it
yourself, if you have domain admin right) to change the domain policy, this
is the simplest solution.

If I misunderstand your concern, please feel free to tell me, thanks!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

---

• Follow-Ups:
  • Re: Local security getting overwritten
    • From: Alun Jones
  • RE: Local security getting overwritten
    • From: "Jeffrey Tan[MSFT]"

• References:
  • RE: Local security getting overwritten
    • From: "Jeffrey Tan[MSFT]"
  • RE: Local security getting overwritten
    • From: "Jeffrey Tan[MSFT]"

• Prev by Date: Re: AzMan Access Check
• Next by Date: Re: smart card and signing email => pin dialog => csp??
• Previous by thread: RE: Local security getting overwritten
• Next by thread: RE: Local security getting overwritten
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Group Policy not applying over Network to XP users ... >> I've modified the screen saver policies in the Default Domain Policy. ... >> these Domain admin accounts. ... I tried the second domain admin account but the policy had not ... >> roaming profile configured. ... (microsoft.public.win2000.active_directory) Re: I implimented a group policy and it priventing me from getting to the MMC ... If you configured this on the "Default Domain Policy" you could rename the ... the next time the users log on. ... the Adminpak and right-click AD Users and Computers and specify domain Admin ... > remove the GPO from the domain controler so that I can fix ... (microsoft.public.windows.group_policy) Re: Restricted Groups in OU ... The Default Domain Policy was "enforced". ... set it to not "enforce", then the OU policy did take effect. ... > The OU policies do supersede the domain policies. ... >> group as well as the Domain Admin. ... (microsoft.public.windows.group_policy) RE: Local security getting overwritten ... the Domain Policy conflicts with your server application ... account requirement. ... domain admin to change the domain policy, ... (microsoft.public.platformsdk.security) Urgent: permissions/policy restrictions ... Logged into the machine as domain admin and installed ... Novell eDir 8.7 (NDS) on a win2k. ... After installation, in the services panel, I find the ... any network operations stating that "access denied". ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)