Re: Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/18/04
- Next message: Tony: "how to deny user download ?"
- Previous message: Arnold: "Re: Configurations"
- In reply to: Zack Schneeberger: "Re: Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'"
- Next in thread: Zack Schneeberger: "Re: Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'"
- Reply: Zack Schneeberger: "Re: Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 18 Sep 2004 18:08:36 GMT
If it is not a domain controller and you can not modify Local Security Policy for
that user right then there is a higher GPO applying the policy. If you run gpresult
/c on that computer it will show you what GPO's are applying computer configuration
and those would be the ones to check. From what you describe it may be the Domain
Security Policy. If you open Domain Security Policy you should be able to add
users/groups you want to have logon locally access. Then run secedit /refreshpolicy
machine_policy enforce first on the domain controller and then on your server to see
if that helps. Note that user rights can be defined without any entries which means
the policy is enabled and no one has that user right. Group/security policy is
applied in this order local>site>domain>OU>child OU. If policy is applied via a
defined setting in multiple GPO's the last policy applied is the effective policy
unless GPO filtering/no override/block inheritance is used. If there are multiple
GPO's in a container, the GPO at the top of the list has highest priority. The domain
controller container should be considered an OU for policy application. --- Steve
"Zack Schneeberger" <schneebie1@hotmail.com> wrote in message
news:a2aa04c0.0409180456.421b5096@posting.google.com...
> Thanks for the fast reply Steve. It is not a DC so I am guessing that
> it would not be configured in the Domain Controller Security Policy
> but rather the 'Default Domain Policy.' I checked there here is what
> I found:
> - Administrator' is the only group given permission in Allow Local
> Logon
> - There is nothing is the 'Deny Local Logon' attribute
>
> So since nothing is being denied I should still be able to add users
> in my 'Local Security Policy' right? But I am not able to. I have no
> idea why.
>
> Zack
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<uKK2d.209792$Fg5.22953@attbi_s53>...
>> If this is a domain controller it has to be configured in Domain Controller
>> Security
>> Policy. You can also use the gpresult support tool on a domain computer to see
>> what
>> "computer" configuration GPO's are applied to that computer [not user]. A GPO from
>> anywhere other than local could have that policy enabled for computer
>> onfiguration. --- Steve
>>
>>
>> "Zack Schneeberger" <schneebie1@hotmail.com> wrote in message
>> news:a2aa04c0.0409171054.33b7b5f2@posting.google.com...
>> >I have spent 5 hours trying to figure out this problem. We have a
>> > server that is part of the Domain and is running Windows 2000 Server.
>> > I am trying to modify the 'Log on locally' policy setting.
>> >
>> > After I click on 'Log on locally', the 'Effective Policy Setting' for
>> > the groups that I want to log on locally is greyed out and unchecked.
>> > So that leads me to the conclusion that a Domain Level Policy is being
>> > pushed down right?! Well wrong! I have scanned 'Domain Security
>> > Policy' and the 'Default Domain Policy' and there is no reference to
>> > 'Deny Local Logon' to any group which is maybe why the 'Effective
>> > Policy Setting' is greyed out and unchecked for certain groups in the
>> > 'Log on locally' policy setting.
>> >
>> > Why is the 'Effective Policy Setting' greyed out and unchecked for
>> > groups in my 'Log on locally' policy setting? It apears that that is
>> > nothing denying their existance locally.
>> >
>> > Thanks in Advance,
>> > Zack
- Next message: Tony: "how to deny user download ?"
- Previous message: Arnold: "Re: Configurations"
- In reply to: Zack Schneeberger: "Re: Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'"
- Next in thread: Zack Schneeberger: "Re: Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'"
- Reply: Zack Schneeberger: "Re: Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
