RE: Local security getting overwritten

Hi Scott,

Thanks for your defailed feedback!

Yes, I understand your concern. The reason I asked you for more information
is that knowing more background information I can understand your real need
better and may provide a better solution in the scenario. Thanks for your
understanding.

Based on my understanding, you will sale your application to other company,
whose domain policy may overwrite the right you needed. So your
configuration tool wanted to take charge of the automation actions and
change the customer's domain policy automatically without their domain
admins' work. If I have misunderstood you, please feel free to tell me.

To automate the domain policy programmatically, you may programmatically
change the LSA setting on the DC. The first reply I provided to you
contains the articles shows how to add the account right programmatically
with LSA APIs. More specificly, you should use LsaAddAccountRights to add
SE_BATCH_LOGON_NAME to the account your application wanted to run.

There are several issues you should take care of:
1. The first parameter of LsaOpenPolicy "SystemName" should point to the DC
machine's name.
2. The configuration tool requires Domain Admin to run it, so that the code
has the enough right to operate the DC LSA.

If you have anything unclear, please feel free to tell me, thanks!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.