GPO- Local DC logon

  • Thread starter Thread starter bpereira
  • Start date Start date
B

bpereira

Hi guys!

Why can’t I change the allow log on locally on my dc?

Running win 2k3 st. ed. I’m domain admin.

Thx
 
Are you making the change in the Default Domain Controller Policy? If you
make it in any other policy at a higher level, the DDCP will apply last and
potentially overwrite the permissions previously laid down.
 
I'm assuming that you've read the KB article listed in the dialog box
(823659) which describes why it's not a good idea to allow "Log on Locally"
for Authenticated Users on your DC. If you still want to make the change,
I'm not sure why it's not allowing it through the dialog, but you should be
able to manually edit the gpttmpl.ini file in the Default Domain Controller
Policy folder tree.

I don't have access to one of my DC's right now, but you'll find it if you
look under the policy folder with the GUID that starts with "{6AC..." You
basically add the SID for the Authenticated Users group (below) to the
SeInteractiveLogonRight Right listed in the file.

SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were
authenticated when they logged on. Membership is controlled by the operating
system.
 
I'm assuming that you've read the KB article listed in the
dialog box
(823659) which describes why it's not a good idea to allow
"Log on Locally"
for Authenticated Users on your DC. If you still want to make
the change,
I'm not sure why it's not allowing it through the dialog, but
you should be
able to manually edit the gpttmpl.ini file in the Default
Domain Controller
Policy folder tree.

I don't have access to one of my DC's right now, but you'll
find it if you
look under the policy folder with the GUID that starts with
"{6AC..." You
basically add the SID for the Authenticated Users group
(below) to the
SeInteractiveLogonRight Right listed in the file.

SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities
were
authenticated when they logged on. Membership is controlled by
the operating
system.

--
Mike Shepperd
MCSE NT4, 2000, 2003
NewFuture Consulting
Seattle, Washington
Click to expand...

Thanks for your help, but I can’t find this file: gpttmpl.ini.
 
Back
Top