Quantcast
Channel: Directory Services forum
Viewing all articles
Browse latest Browse all 31638

GPO Issues with User Rights Asignment "Log on as Service"

$
0
0

Please feel free to move this into a more appropriate category as I feel the Forum selection area is too limited to make much sense out of.

The issue that I am experiencing at this time is that I have a few software packages that require administrative rights to PCs and also require the "Log on as Service" right.  This software package is from GFI and is to help manage our use of external media devices and help maintain updates to Windows and other software.

I have tried using a GPO to send out the required changes to add Service Users, users we create per service which requires administrative rights, to both the Local Security "Log on as Service" right and the Local Administrators group.

There is a conflict that occurs that I am having trouble with finding a workaround other than using BAT/PS1 scripting with a 2003 Server Resource Kit file, NTRIGHTS.zip.  The conflict that happens is the following...

I have three servers, 1-DC 2-SQL 3-HyperV.  Each server with their own default assignments in the Local Security Policy user rights "Log on as Service".  If I have the DC push this created GPO out to the SQL and HyperV servers, they loose their defaults and only use the users stated in the GPO.

This issue became known when I tried to manage a VM within Hyper-V Manager on the the server and kept getting a 'User does not have sufficient rights' error.  This also occurred while using full administrative credentials even with elevated Hyper-V Manager.  I looked on the SQL server and found the same had taken place with the GPO dropping the default and over writing the rights area with just those users, dropping all SQL\* Users from the list.

I retracted this policy and all went back to normal after a restart of the test servers and have been looking for a work around ever since.  I would like to know of a better way to do this other than using startup scripts to add the necessary users to the rights item.  I don't like the idea of using CarbonDLL or having to put a utility such as NTRIGHTS.exe on a network share for machines to access on boot and it fail due to no network connection at the time the script would run.

Also, these are not the only software packages that have this as a requirement that we use around the company.  If I were to push this GPO to production, it would kill various other packages for reporting services and data collection services we have on our production floor.

Any ideas would be helpful.

Thanks in advanced.


Viewing all articles
Browse latest Browse all 31638

Trending Articles