unknown source of Effective Rights (User Rights Assignment)

  • Thread starter Thread starter Valery M.
  • Start date Start date
V

Valery M.

Hi All,

I got stuck with the following situation. Haven't been
able to find a solution for several days already, though I
need it urgently. If anybody has any ideas, please help!

Here is the situation:
1) "Default Domain Policy" -> "Log on as a batch job"
= "domainX\userA"

2) "Default Domain Controller Policy" -> "Log on as a
batch job"
= "domainX\administrator,domainX\UserB,domainX\userC"

3) Local Security Settings (on a Member Server, not a
DC): "Local Security Settings" -> "Log on as a batch job"
= domainX\administrator,domainX\UserD,domainX\userE"
All have "LocalPolicySetting" and "EffectivePolicySetting"
(dimmed) checkboxes checked.

4) Even when I uncheck "LocalPolicySetting" for userD and
userE they still have "EffectivePolicySetting" set!


Questions.
1) How do I find out where userD and userE came from?? I
mean from which level of Group Policy did they
receive "Log on as a batch job" right??
2)Why doesn't userA appear under member
server's "LocalPolicySetting" (It should come from Default
Domain Policy, shouldn't it)??

Any ideas are greatly appreciated!
Thank you.

Valery.
 
Do you have a copy of the Group Policy Management Console installed? This is
ideal for troubleshooting problems such as this.
http://search.microsoft.com/search/results.aspx?st=b&qu=gpmc&view=en-us

Removing UserD and UserE from the local policy setting will have no effect
if they are defined in a GPO. The GPO will override the local setting. Do
you have any policies set at the site level? GPMC will allow you to quickly
determine exactly what GPO's are being applied to a server.
You can also run gpresult to give you an idea what is being applied.
 
Thanks for the advise Simon,

Following the topic:
1) No policies at site level.
2) I had already tried gpresult, but it gave me exactly
what I expected: "The computer received settings from
these GPOs: "Local Group Policy", "Default Domain Policy".
3) I haven't tried GPMC yet.
4) I suspect there could be an issue related to the fact
that this member server (and the whole domain) have been
upgraded from WinNT to Win2000 (I haven't been here that
time). Is it possible that there are some User Rights from
WinNT left in the system (registry?) after upgrading??

Thank you for your time.
Valery.
 
Any leftovers from NT should be irrelevant as Group Policy should enforce
the new user rights. You should definitely install the GPMC and check what
settings are being applied from what policy

Are there any services running on the member servers that run under the
UserD or UserE accounts? When services run under an account they get granted
the 'log on as a batch job' right by default.

You may find this resource kit tool useful.
http://support.microsoft.com/?id=279664
 
I have installed GPMC on a separate WinXP PC, but
unfortunately our Member server is Win2000 server and GPMC
tells me that "The selected computer doesn't support RSoP
logging, Rsop logging support is available in operating
system release after Windows 2000".

Best Regards,
Valery.
 
Back
Top