Re: Effective Policy Setting for IWAM_Machinename account
From: Steven L Umbach (n9rou_at_comcast.net)
Date: 07/29/03
- Next message: 3ncryptabl3_lick: "IE Internet Options restricted as admin"
- Previous message: Vivien Wu [MSFT]: "Re: MSN Messenger problem on Windows Server 2003"
- In reply to: Chris: "Re: Effective Policy Setting for IWAM_Machinename account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Jul 2003 02:34:51 GMT
OK. An OU or Organizational Unit is an Active Directory container for the purpose of
logically segmenting a domain for the purpose of divisions/geography [East/West,
Sales/Marketing, etc], delegating authority, or applying unique Group Policy. Anyhow
you could create one for your server, move the server into it, create and configure a
Group Policy for it that would accomplish your need. First go to Active Directory
Users and Computers management console and expand the domain. Right click the domain
and select new/Organizational Unit. Name it something appropriate. Then right click
you new OU and select properties/Group Policy/new. You will see "new Group Policy
Object" appear. Name it something appropriate and then select the new Group
Policy/edit. Then go to computer configuration/Windows settings/security
settings/local policies/user rights assignments. Find the setting you are looking for
"log on as batch job" and add the account that you want to have that right - do not
browse for it, just type it in and hit OK for both boxes and the account should then
appear. Now move your server into that OU. Right click the server and select move [I
am assuming this is not a domain controller]. The on the domain controller run
secedit /refreshpolicy machine_policy /enforce. If a reboot of it is not too
difficult for the domain controller do that also. After that do the same on your IIS
server - secedit /refreshpolicy machine_policy /enforce and reboot if possible. Then
check your Local Security Policy settings again and the "log on as batch job" for
that account should show as effective setting. --- Steve
"Chris" <NoSpam@Spamless.net> wrote in message
news:OPXkweUVDHA.2236@TK2MSFTNGP10.phx.gbl...
> Steve,
>
> Yep, the web server is in a domain and I've got domain administrative
> rights.
>
> Christopher.
>
> "Steven L Umbach" <n9rou@comcast.net> wrote in message
> news:6lbVa.165666$N7.22577@sccrnsc03...
> > Just to verify for me. That computer is in a domain and you have
> domain
> > administrative rights? --- Steve
> >
> >
> > "Chris" <NoSpam@Spamless.net> wrote in message
> > news:#XPzCCQVDHA.624@TK2MSFTNGP10.phx.gbl...
> > > Thanks for your reply Steve,
> > >
> > > Sorry, I'm a bit new to this stuff. Can you tell me what an OU and a
> GPO is
> > > so that I can find out how to create them.
> > >
> > > Thanks,
> > > Christopher.
> > >
> > > "Steven L Umbach" <n9rou@comcast.net> wrote in message
> > > news:DI1Ua.123326$OZ2.24890@rwcrnsc54...
> > > > You could create an OU for that computer and move it into it.
> Then
> > > create a
> > > > new GPO for the OU. Then add the accounts you need to that user right.
> > > Everything
> > > > else in the GPO will be undefined, but that particular user right you
> > > configure will
> > > > override the domain policy and show up as your "effective" setting. Do
> not
> > > "browse"
> > > > for those account names, just type/copy them into the add box. ---
> Steve
> > > >
> > > >
> > > > "Chris" <NoSpam@Spamless.net> wrote in message
> > > > news:OYM1pLiUDHA.1744@TK2MSFTNGP12.phx.gbl...
> > > > > I receive this error message every so often when trying to run a
> ISAPI
> > > > > application in HIGH mode on IIS5 (win 2000 server)...
> > > > >
> > > > > DCOM got error "Logon failure: the user has not been granted the
> > > requested
> > > > > logon type at this computer. " and was unable to logon
> .\IWAM_NT_ISA01
> > > in
> > > > > order to run the server:
> > > > >
> > > > > {167A80F6-04DB-4883-9958-C04FD265AA28}
> > > > >
> > > > >
> > > > > I have found a knowledge base article that tells me that I need to
> give
> > > > > IWAM_MachineName account "Logon as a batch job" rights...
> > > > >
> > > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;297519
> > > > >
> > > > > But at the end it says...
> > > > >
> > > > > 1.. On the Administrative Tools menu, expand Local Security
> Policies.
> > > > > 2.. Select User Rights Assignment.
> > > > > 3.. Select the IWAM_MACHINENAME and IUSR_MACHINENAME
> accounts.NOTE: If
> > > > > domain level policy settings are defined, they override local policy
> > > > > settings. Make sure that the Effective Policy Setting is also
> selected
> > > (this
> > > > > setting is dimmed). Contact your domain administrator if this
> setting is
> > > not
> > > > > selected.
> > > > >
> > > > > How do I make the Effective Policy Setting selected? On the Domain
> > > > > Controller machine (a different win 2000 server) there is no way to
> > > select
> > > > > the user IWAM_MachineName because it is a user local the the web
> server
> > > > > machine.
> > > > >
> > > > > Can anyone tell me how to get this "Logon as batch job" in the
> Effective
> > > > > Policy Setting.
> > > > >
> > > > > Thanks,
> > > > > Christopher.
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: 3ncryptabl3_lick: "IE Internet Options restricted as admin"
- Previous message: Vivien Wu [MSFT]: "Re: MSN Messenger problem on Windows Server 2003"
- In reply to: Chris: "Re: Effective Policy Setting for IWAM_Machinename account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
