Local account settings on a domain member server

  • Thread starter Thread starter Craig Matchan
  • Start date Start date
C

Craig Matchan

Hi,

we have a server that is member server of our AD. We are trying to get part
of Oracle Grid server going on this server. The component of Oracle Grid
server requires the following specific account rights;

- Act as part of operating system
- Log on as batch job
- Log on as service
- Replace a process level token

We have granted these rights to the domain account being used but the Oracle
application fails. Oracle have advised us now not to use a domain account
(even though their doco tells us to) and to create a local (non domain)
account instead. So I created a local account on the server via the Computer
Management utility called oracleagent. The problem I have is that when I try
and grant the above rights to this account via the local policy utility the
required rights are ghosted out. I presume this is because they are either
domain specific or the domain policy is taking precedence.

I tried editing the domain security policy user rights however it will now
allow me to reference users not part of the domain. So I'm sort of stuck at
the moment. Is my only option to remove the server from the domain?

Any help/suggestions welcome,

regards

Craig
 
Hi
We have granted these rights to the domain account being used but the
Oracle application fails. Oracle have advised us now not to use a domain
account (even though their doco tells us to) and to create a local (non
domain) account instead. So I created a local account on the server via
the Computer Management utility called oracleagent. The problem I have is
that when I try and grant the above rights to this account via the local
policy utility the required rights are ghosted out. I presume this is
because they are either domain specific or the domain policy is taking
precedence.
Click to expand...

I tried to edit on a member server in a domain with these rights and orked
fine.
- Check permissions.
- Make sure that you don't have any GPO in the domain that are overwriting
these ones.


--
I Hop that helps

Best Regards
Systems Administrator
MCSA + Exchange
 
Hi,

we have a server that is member server of our AD. We are trying to get part
of Oracle Grid server going on this server. The component of Oracle Grid
server requires the following specific account rights;

- Act as part of operating system
- Log on as batch job
- Log on as service
- Replace a process level token

We have granted these rights to the domain account being used but the Oracle
application fails. Oracle have advised us now not to use a domain account
(even though their doco tells us to) and to create a local (non domain)
account instead. So I created a local account on the server via the Computer
Management utility called oracleagent. The problem I have is that when I try
and grant the above rights to this account via the local policy utility the
required rights are ghosted out. I presume this is because they are either
domain specific or the domain policy is taking precedence.

I tried editing the domain security policy user rights however it will now
allow me to reference users not part of the domain. So I'm sort of stuck at
the moment. Is my only option to remove the server from the domain?

Any help/suggestions welcome,

regards

Craig
Click to expand...
Download NTRIGHTS.EXE from tip 6705 » What are the free Windows Server 2003 Resource Kit tools?
in the 'Tips & Tricks' at http://www.jsifaq.com

The following is case sensitive:

SeAssignPrimaryTokenPrivilege Replace a process level token.
SeBatchLogonRight Logon as a batch job.
SeTcbPrivilege Act as part of the operating system.
SeServiceLogonRight Log on as a service.

ntrights +r SeAssignPrimaryTokenPrivilege -u LocalOracleUser
ntrights +r SeBatchLogonRight -u LocalOracleUser
ntrights +r SeTcbPrivilege -u LocalOracleUser
ntrights +r SeServiceLogonRight -u LocalOracleUser

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
 
Hi all,

ok, the ntrights utility worked and I was able to set the rights required,
however, by the next morning the right's were gone. I suppose this points to
a group policy resetting these rights. I just need to find out which policy
now, assuming it is in fact a policy clobbring the rights.

Craig
 
Run RSoP.msc in logging mode

--
I Hop that helps

Best Regards
Systems Administrator
MCSA + Exchange
 
Ta.. yep someone has set some rights on one of the DCs via the local
security policy tool. Just trying to ascertain who and why as they were not
documented changes.

thanks to everyone for their assistance.

Craig
 
Back
Top