[gptalk] User Rights Assignments question

  • From: Robert Tannehill <rtannehill@xxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Thu, 28 Dec 2006 12:08:30 -0800

Don't know if anyone has ever solved this, but it's been bugging me for
awhile.  I like to control some of the User Rights Assignments via domain
GPO.  That is, I supply the domain groups that will get access to, for
example, Logon As Service.  That way, a domain account on which the
service runs must be a member of the LogonAsService group.
In some cases, applications running on servers will require a local
account to have that right, ASPNET, for instance.  However, if I add this
account to the Logon As Service right at the Domain GPO level, servers not
running .Net will give a 1202 error when trying to apply the policy
("Security policies were propagated with warning. 0x534 : No mapping
between account names and security IDs was done."), thus filling the
Application event log with a bunch of SceCli warnings.
One way to solve this is to place all .Net servers in a group and apply
the policy via group filtering, which would mean developers would have to
let me know whenever they installed .Net (ugly and basically impractical).
 I'm wondering if there is anyway to add accounts to User Rights
Assignments (like one can do with Restricted groups)?
Just looking for ideas.
Robert Tannehill
Sr. Computer Engineer
Computer Sciences Corporation

Other related posts: