Re: GPO delivered User rights for unique local account.

You do not need to install adminpak to alter GPO settings, and you only
need the tools on the machines from which you will be managing the GPO
settings (not all machines impacted by the GPOs).
If you were to use gpedit (as from an adminpak install) on a XP Pro at SP2
you would not need to apply the patch for string lengths as with W2k.

By the way, you are starting down a slippery road.
For server A you now need LocalAccountA1 in a certain user right.
Next for server B you need LocalAccountB1 in some user right.
etc.

Eventually you end up with a GPO for each server just to deliver these.
Some people opt for not setting those policies (as some user rights) that
are per-machine unique (or close to per-machine) by means of GPOs
but instead use only Local Policy for them.

One way of doing this that I have found is to define local groups on
each machine, like LocalLogin, NetLogin, etc. where the point is that
the group exists with the same name on each machine. Then one GPO
can be used to define these user rights using these machine local group
names, and as far as GPO is concerned it does not matter that the
local groups have different memberships per machine.

Now, if you look back, both of those alternatives are no different.
Whether one gives up on the per-machine unique and handles it in
local group policy or if one used uniformly named machine local
groups, what one has done is relinquish central guaranteed control.

The only good alternative to central management of per-machine
unique policy settings is purchase of third-party extensions of the
group policy system.


"AndyT" <AndyT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F47E8783-7410-4C5E-8AB9-1C99B50B58EE@xxxxxxxxxxxxxxxx
> Thank you Steve.
>
> Your comment about Windows 2000 AD Users and Computers put me on the right
> track. I can now add server specific local accounts to GPs, but to do so I
> have to install Adminpak and patch it to fix a "truncation" error
> (842933).
> Is there an easier way to load AD Users and Computers than installing the
> entire adminpak on every server that needs unique GPs?
>
> BTW Local policy is overridden by Site, the Domain etc, so that option
> wouldn't work... but thanks anyway.
>
> Also my Logon Message /caption on 2000 boxes gets truncated.... any ideas?
>
>
>
> "Steven L Umbach" wrote:
>
>> You could simply edit Local Group Policy/local policies/user rights on
>> the
>> server or edit the Group Policy that enforces user rights for that
>> server.
>> In Windows 2000 you can use Active Directory Users and Computers to
>> access
>> Group Policy. Right click the container such as the domain/OU, select
>> properties, and then Group Policy. If you have an XP Pro computer in the
>> domain you can install GPMC on it to manage Group Policy in the Windows
>> 2000
>> domain. You will need to logon as a domain administrator however so make
>> sure it is a secure admin workstation. You can use the support tool
>> gpresult to see what Group Policies are being applied to a computer. ---
>> Steve
>>
>>
>> "AndyT" <AndyT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:447FDABB-DFBF-4734-9107-98820CE63B51@xxxxxxxxxxxxxxxx
>> > How do I create a GP for a Windows 2000 server that enables a local
>> > user
>> > on
>> > that server to gain certain User rights eg Log on locally?.Our MS
>> > standard
>> > server baseline policy removes any installed User rights and we need to
>> > reinstate them for certain servers.
>> > I understand that with 2003 server one can install the GPMC and
>> > create/edit
>> > a GPO and add local accounts to that GPO, but GPMC is not compatable
>> > with
>> > W2K....
>> >
>> > Any help would be gratefully received.
>>
>>
>>


.

Relevant Pages

  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... GPO security settings from the defauts. ... Restart the workstation computer and the Terminal server, ... I've chosen these settings only because the affect is easy to observe. ... add check mark in the Deny column for Apply Group Policy ...
    (microsoft.public.windows.group_policy)
  • Re: User Profiles
    ... Windows Server 2003. ... effects of another GPO, ... the shared folder - enabled various other settings - enabled GPO ... 231287 - Loopback Processing of Group Policy ...
    (microsoft.public.windows.terminal_services)
  • Re: Group Policy to control custom server application
    ... You'll be hard-pressed to do this via GPO. ... There is no remote notification mechanism in Group Policy that you can rely on. ... I don't see how you can let the server app know that the client has logged on without some kind of event-based notification communication between client and server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to save GPO edits in Windows 2003 Small Bussiness Serve
    ... I am able to create GPO's on my test server and edit them as ... to delete the GPO at the very least. ... Group Policy Management "The server is unwilling to process the request" ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to save GPO edits in Windows 2003 Small Bussiness Serve
    ... The test server is the same OS as the server I am having issues with. ... I should be able to delete the GPO at the very least. ... I have tried to edit the new policy to push out workstation settings with no avail. ... Administrative Templates "The Group Policy snapin was unable to save your changes due to the following error: Logon failure: unknown username or bad password." ...
    (microsoft.public.windows.server.sbs)