Group permissions

[Guest]

I have created a local admin group(testgroup) and assigned a particular user
(testuser)to that group and then assigned that group(testgroup) to the
following local policies:

act as part of the operating system
log on as a service
log on locally

I am not able to perform a particular function. If I assign the testuser
explicitly to those same local policies I can. The customer has a GPO that
does not allow individual users the ability to be assigned local policies.
Is there anyway around this?

 

[Joe Richards [MVP]]

Is the group a local group or a domain local group?

When you look at the security token do you see the group listed in the
token when you log into the machine?

This should work fine, I have done this thousands of times through the
years.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Guest]

It is a local group, but for some reason group privileges do not work.

 

[Roger Abell [MVP]]

I have created a local admin group(testgroup) and assigned a particular
user
(testuser)to that group and then assigned that group(testgroup) to the
following local policies:

act as part of the operating system
log on as a service
log on locally

I am not able to perform a particular function. If I assign the testuser
explicitly to those same local policies I can. The customer has a GPO
that
does not allow individual users the ability to be assigned local policies.

I am aware of no way to do this in a GPO except one that will control
both groups and accounts added via local policy, not just groups or
user accounts.

Is there anyway around this?

Please verify and explain what this limitation is ? since it seems to
be this that is getting in your way, but it cannot be a restriction of the
form you have stated.

Roger

 

[Roger Abell [MVP]]

It is a local group, but for some reason group privileges do not work.

Can we please verify what AD based GPOs are applied to the
test system, and what settings they carry for these user rights, if
they carry any. Usually, if one can set these in Local Security
Policy admin tool, then they are not under control by AD GPO.

Is it possible that in your tests you were seeing results had variance
due to whether the changed local policy had or had not yet been
applied? Did you use gpupdate (or secedit if W2k) to force the
changed local policy to be applied after you added the group?

As Joe stated, I will echo - this does work, I use it all the time.

Roger