Re: Prevent Users interactive login, but allow them to run batch j



"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DE6B214C-B0A9-471A-9201-626AFFD72000@xxxxxxxxxxxxxxxx

"Avil" wrote:

That user is member of "Domain Users" group. I also made that user a
member
of local "Users" group at the client machine. Still no luck.
I made this user member of the local "admin" group at the client machine.
It
works fine

Well, I am obviously in the dark Avil as to the specifics of the
job it is supposed to execute, but at least now you know you only
need to discover what Administrators has granted to it that is
needed for this account to run the job without being an admin.
What sort of auditing do you have enabled that might help?


"Roger Abell [MVP]" wrote:

"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E2CFE7E-9116-4974-8E48-373EB543B2ED@xxxxxxxxxxxxxxxx
I have set this settings on a test OU. The first seeting works
fine(Deny
log
on Locally) But the second setting "Log on as batch job" has no
effect.
the
scheduled batch job ends with the error code 0*1

The batch job runs fine with other users.


That makes it sound like those user rights adjustments are
effective, but that the account needs something else. Is it
a member of the machine's Users group by some means?



"Roger Abell [MVP]" wrote:

"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1E25EF8C-193F-495D-B0F9-CF7DEB82A2C7@xxxxxxxxxxxxxxxx
Thank You,
I tried the following step which did not work.
Under Domain Group Policy,
I added the user to "Deny Login Locally"
and to "Login as Batch Job"
But this does not work.


If those are not set elsewhere in GPOs applied after the
GPO in which you set these, and if there was time for the
new values to replicate and get applied at the test machine,
then they should have had your desired effect.

That said, I will add that doing as you did is potentially
dangerous as those settings will wipe out what may have
been set for those at the local machine level, replacing with
what you set in the GPO. Hopefully you did that in a GPO
that only impacts the test machines.

Roger

"Roger Abell [MVP]" wrote:

"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:28206A25-9B62-4AC7-BD1B-29873E82B760@xxxxxxxxxxxxxxxx
I have a Windows 2000 ADS domain. I need some domain user
accounta
who
can
run batch jobs but they should not be able to login to domain
by
pressing
alt-ctl-delete. Is it possible to implement?


Is it possible? Yes.
Is it simple to implement? That depends on how your Windows
deployment is currently configured.

In the default, user accounts are members of Domain Users, and
Domain Users as well as Authenticated Users are made members
of the Users group of all domain joined machines.

You want an account that
a) does not have a grant of Log on locally, or if it does then is
also listed in the Deny log on locally (these are in User
Rights)
b) does have user right grant of batch logon

Just how you effect it so that the account meets those depends on
how you have or have not taken control over user rights on
members.

One possible approach is to make the accounts not be members of
Domain Users. However, that does not fully address the issue as
Authenticated Users would still allow local login to the account.
Another possible approach is to use the Deny local login setting
but that gets very messy in an infrastructure as the only way to
set
that centrally (without coding that connects to each machine and
sets it) is via GPO and that will wipe out anything already
listed
in that setting.

Roger











.



Relevant Pages

  • Re: Prevent Users interactive login, but allow them to run batch j
    ... That user is member of "Domain Users" group. ... on Locally) But the second setting "Log on as batch job" has no effect. ... but that the account needs something else. ... Domain Users as well as Authenticated Users are made members ...
    (microsoft.public.win2000.security)
  • Re: Prevent Users interactive login, but allow them to run batch j
    ... on Locally) But the second setting "Log on as batch job" has no effect. ... but that the account needs something else. ... GPO in which you set these, and if there was time for the ... Domain Users as well as Authenticated Users are made members ...
    (microsoft.public.win2000.security)
  • Re: Prevent Users interactive login, but allow them to run batch j
    ... on Locally) But the second setting "Log on as batch job" has no effect. ... but that the account needs something else. ... GPO in which you set these, and if there was time for the ... Domain Users as well as Authenticated Users are made members ...
    (microsoft.public.win2000.security)
  • Re: Prevent Users interactive login, but allow them to run batch j
    ... on Locally) But the second setting "Log on as batch job" has no effect. ... GPO in which you set these, and if there was time for the ... Domain Users as well as Authenticated Users are made members ... Just how you effect it so that the account meets those depends on ...
    (microsoft.public.win2000.security)
  • Re: Rid AD of Circular Group Membership
    ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)