[gptalk] Re: User Rights Assignments question

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 28 Dec 2006 12:51:40 -0800

I don't see an easy way to do this through GP. You might just be better off
managing this through some kind of local computer startup script where you
add ASPNET account to the right using a command-line utility like
ntrights.exe, though I realize that is not easy to keep consistent across
all systems.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Robert Tannehill
Sent: Thursday, December 28, 2006 12:09 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] User Rights Assignments question

 

All,

Don't know if anyone has ever solved this, but it's been bugging me for
awhile.  I like to control some of the User Rights Assignments via domain
GPO.  That is, I supply the domain groups that will get access to, for
example, Logon As Service.  That way, a domain account on which the service
runs must be a member of the LogonAsService group.

 

In some cases, applications running on servers will require a local account
to have that right, ASPNET, for instance.  However, if I add this account to
the Logon As Service right at the Domain GPO level, servers not running .Net
will give a 1202 error when trying to apply the policy ("Security policies
were propagated with warning. 0x534 : No mapping between account names and
security IDs was done."), thus filling the Application event log with a
bunch of SceCli warnings.

 

One way to solve this is to place all .Net servers in a group and apply the
policy via group filtering, which would mean developers would have to let me
know whenever they installed .Net (ugly and basically impractical).

 

 I'm wondering if there is anyway to add accounts to User Rights Assignments
(like one can do with Restricted groups)?

 

Just looking for ideas.

Thanks

Robert Tannehill
Sr. Computer Engineer
Computer Sciences Corporation

 

 

Other related posts: