PC Review


Reply
Thread Tools Rate Thread

unknown source of Effective Rights (User Rights Assignment)

 
 
Valery M.
Guest
Posts: n/a
 
      14th Oct 2003
Hi All,

I got stuck with the following situation. Haven't been
able to find a solution for several days already, though I
need it urgently. If anybody has any ideas, please help!

Here is the situation:
1) "Default Domain Policy" -> "Log on as a batch job"
= "domainX\userA"

2) "Default Domain Controller Policy" -> "Log on as a
batch job"
= "domainX\administrator,domainX\UserB,domainX\userC"

3) Local Security Settings (on a Member Server, not a
DC): "Local Security Settings" -> "Log on as a batch job"
= domainX\administrator,domainX\UserD,domainX\userE"
All have "LocalPolicySetting" and "EffectivePolicySetting"
(dimmed) checkboxes checked.

4) Even when I uncheck "LocalPolicySetting" for userD and
userE they still have "EffectivePolicySetting" set!


Questions.
1) How do I find out where userD and userE came from?? I
mean from which level of Group Policy did they
receive "Log on as a batch job" right??
2)Why doesn't userA appear under member
server's "LocalPolicySetting" (It should come from Default
Domain Policy, shouldn't it)??

Any ideas are greatly appreciated!
Thank you.

Valery.
 
Reply With Quote
 
 
 
 
Simon Geary
Guest
Posts: n/a
 
      14th Oct 2003
Do you have a copy of the Group Policy Management Console installed? This is
ideal for troubleshooting problems such as this.
http://search.microsoft.com/search/r...pmc&view=en-us

Removing UserD and UserE from the local policy setting will have no effect
if they are defined in a GPO. The GPO will override the local setting. Do
you have any policies set at the site level? GPMC will allow you to quickly
determine exactly what GPO's are being applied to a server.
You can also run gpresult to give you an idea what is being applied.

"Valery M." <(E-Mail Removed)> wrote in message
news:2a4ff01c3923a$52e602b0$(E-Mail Removed)...
> Hi All,
>
> I got stuck with the following situation. Haven't been
> able to find a solution for several days already, though I
> need it urgently. If anybody has any ideas, please help!
>
> Here is the situation:
> 1) "Default Domain Policy" -> "Log on as a batch job"
> = "domainX\userA"
>
> 2) "Default Domain Controller Policy" -> "Log on as a
> batch job"
> = "domainX\administrator,domainX\UserB,domainX\userC"
>
> 3) Local Security Settings (on a Member Server, not a
> DC): "Local Security Settings" -> "Log on as a batch job"
> = domainX\administrator,domainX\UserD,domainX\userE"
> All have "LocalPolicySetting" and "EffectivePolicySetting"
> (dimmed) checkboxes checked.
>
> 4) Even when I uncheck "LocalPolicySetting" for userD and
> userE they still have "EffectivePolicySetting" set!
>
>
> Questions.
> 1) How do I find out where userD and userE came from?? I
> mean from which level of Group Policy did they
> receive "Log on as a batch job" right??
> 2)Why doesn't userA appear under member
> server's "LocalPolicySetting" (It should come from Default
> Domain Policy, shouldn't it)??
>
> Any ideas are greatly appreciated!
> Thank you.
>
> Valery.



 
Reply With Quote
 
 
 
 
Valery M.
Guest
Posts: n/a
 
      14th Oct 2003
Thanks for the advise Simon,

Following the topic:
1) No policies at site level.
2) I had already tried gpresult, but it gave me exactly
what I expected: "The computer received settings from
these GPOs: "Local Group Policy", "Default Domain Policy".
3) I haven't tried GPMC yet.
4) I suspect there could be an issue related to the fact
that this member server (and the whole domain) have been
upgraded from WinNT to Win2000 (I haven't been here that
time). Is it possible that there are some User Rights from
WinNT left in the system (registry?) after upgrading??

Thank you for your time.
Valery.


>-----Original Message-----
>Do you have a copy of the Group Policy Management Console

installed? This is
>ideal for troubleshooting problems such as this.
>http://search.microsoft.com/search/results.aspx

st=b&qu=gpmc&view=en-us
>
>Removing UserD and UserE from the local policy setting

will have no effect
>if they are defined in a GPO. The GPO will override the

local setting. Do
>you have any policies set at the site level? GPMC will

allow you to quickly
>determine exactly what GPO's are being applied to a

server.
>You can also run gpresult to give you an idea what is

being applied.
>
>"Valery M." <(E-Mail Removed)> wrote in message
>news:2a4ff01c3923a$52e602b0$(E-Mail Removed)...
>> Hi All,
>>
>> I got stuck with the following situation. Haven't been
>> able to find a solution for several days already,

though I
>> need it urgently. If anybody has any ideas, please help!
>>
>> Here is the situation:
>> 1) "Default Domain Policy" -> "Log on as a batch job"
>> = "domainX\userA"
>>
>> 2) "Default Domain Controller Policy" -> "Log on as a
>> batch job"
>> = "domainX\administrator,domainX\UserB,domainX\userC"
>>
>> 3) Local Security Settings (on a Member Server, not a
>> DC): "Local Security Settings" -> "Log on as a batch

job"
>> = domainX\administrator,domainX\UserD,domainX\userE"
>> All have "LocalPolicySetting"

and "EffectivePolicySetting"
>> (dimmed) checkboxes checked.
>>
>> 4) Even when I uncheck "LocalPolicySetting" for userD

and
>> userE they still have "EffectivePolicySetting" set!
>>
>>
>> Questions.
>> 1) How do I find out where userD and userE came from?? I
>> mean from which level of Group Policy did they
>> receive "Log on as a batch job" right??
>> 2)Why doesn't userA appear under member
>> server's "LocalPolicySetting" (It should come from

Default
>> Domain Policy, shouldn't it)??
>>
>> Any ideas are greatly appreciated!
>> Thank you.
>>
>> Valery.

>
>
>.
>

 
Reply With Quote
 
Simon Geary
Guest
Posts: n/a
 
      14th Oct 2003
Any leftovers from NT should be irrelevant as Group Policy should enforce
the new user rights. You should definitely install the GPMC and check what
settings are being applied from what policy

Are there any services running on the member servers that run under the
UserD or UserE accounts? When services run under an account they get granted
the 'log on as a batch job' right by default.

You may find this resource kit tool useful.
http://support.microsoft.com/?id=279664

"Valery M." <(E-Mail Removed)> wrote in message
news:054c01c39257$6aec58b0$(E-Mail Removed)...
> Thanks for the advise Simon,
>
> Following the topic:
> 1) No policies at site level.
> 2) I had already tried gpresult, but it gave me exactly
> what I expected: "The computer received settings from
> these GPOs: "Local Group Policy", "Default Domain Policy".
> 3) I haven't tried GPMC yet.
> 4) I suspect there could be an issue related to the fact
> that this member server (and the whole domain) have been
> upgraded from WinNT to Win2000 (I haven't been here that
> time). Is it possible that there are some User Rights from
> WinNT left in the system (registry?) after upgrading??
>
> Thank you for your time.
> Valery.
>
>
> >-----Original Message-----
> >Do you have a copy of the Group Policy Management Console

> installed? This is
> >ideal for troubleshooting problems such as this.
> >http://search.microsoft.com/search/results.aspx?

> st=b&qu=gpmc&view=en-us
> >
> >Removing UserD and UserE from the local policy setting

> will have no effect
> >if they are defined in a GPO. The GPO will override the

> local setting. Do
> >you have any policies set at the site level? GPMC will

> allow you to quickly
> >determine exactly what GPO's are being applied to a

> server.
> >You can also run gpresult to give you an idea what is

> being applied.
> >
> >"Valery M." <(E-Mail Removed)> wrote in message
> >news:2a4ff01c3923a$52e602b0$(E-Mail Removed)...
> >> Hi All,
> >>
> >> I got stuck with the following situation. Haven't been
> >> able to find a solution for several days already,

> though I
> >> need it urgently. If anybody has any ideas, please help!
> >>
> >> Here is the situation:
> >> 1) "Default Domain Policy" -> "Log on as a batch job"
> >> = "domainX\userA"
> >>
> >> 2) "Default Domain Controller Policy" -> "Log on as a
> >> batch job"
> >> = "domainX\administrator,domainX\UserB,domainX\userC"
> >>
> >> 3) Local Security Settings (on a Member Server, not a
> >> DC): "Local Security Settings" -> "Log on as a batch

> job"
> >> = domainX\administrator,domainX\UserD,domainX\userE"
> >> All have "LocalPolicySetting"

> and "EffectivePolicySetting"
> >> (dimmed) checkboxes checked.
> >>
> >> 4) Even when I uncheck "LocalPolicySetting" for userD

> and
> >> userE they still have "EffectivePolicySetting" set!
> >>
> >>
> >> Questions.
> >> 1) How do I find out where userD and userE came from?? I
> >> mean from which level of Group Policy did they
> >> receive "Log on as a batch job" right??
> >> 2)Why doesn't userA appear under member
> >> server's "LocalPolicySetting" (It should come from

> Default
> >> Domain Policy, shouldn't it)??
> >>
> >> Any ideas are greatly appreciated!
> >> Thank you.
> >>
> >> Valery.

> >
> >
> >.
> >



 
Reply With Quote
 
Valery M.
Guest
Posts: n/a
 
      15th Oct 2003
I have installed GPMC on a separate WinXP PC, but
unfortunately our Member server is Win2000 server and GPMC
tells me that "The selected computer doesn't support RSoP
logging, Rsop logging support is available in operating
system release after Windows 2000".

Best Regards,
Valery.

>-----Original Message-----
>Any leftovers from NT should be irrelevant as Group

Policy should enforce
>the new user rights. You should definitely install the

GPMC and check what
>settings are being applied from what policy
>
>Are there any services running on the member servers that

run under the
>UserD or UserE accounts? When services run under an

account they get granted
>the 'log on as a batch job' right by default.
>
>You may find this resource kit tool useful.
>http://support.microsoft.com/?id=279664
>
>"Valery M." <(E-Mail Removed)> wrote in message
>news:054c01c39257$6aec58b0$(E-Mail Removed)...
>> Thanks for the advise Simon,
>>
>> Following the topic:
>> 1) No policies at site level.
>> 2) I had already tried gpresult, but it gave me exactly
>> what I expected: "The computer received settings from
>> these GPOs: "Local Group Policy", "Default Domain

Policy".
>> 3) I haven't tried GPMC yet.
>> 4) I suspect there could be an issue related to the fact
>> that this member server (and the whole domain) have been
>> upgraded from WinNT to Win2000 (I haven't been here that
>> time). Is it possible that there are some User Rights

from
>> WinNT left in the system (registry?) after upgrading??
>>
>> Thank you for your time.
>> Valery.
>>
>>
>> >-----Original Message-----
>> >Do you have a copy of the Group Policy Management

Console
>> installed? This is
>> >ideal for troubleshooting problems such as this.
>> >http://search.microsoft.com/search/results.aspx?

>> st=b&qu=gpmc&view=en-us
>> >
>> >Removing UserD and UserE from the local policy setting

>> will have no effect
>> >if they are defined in a GPO. The GPO will override the

>> local setting. Do
>> >you have any policies set at the site level? GPMC will

>> allow you to quickly
>> >determine exactly what GPO's are being applied to a

>> server.
>> >You can also run gpresult to give you an idea what is

>> being applied.
>> >
>> >"Valery M." <(E-Mail Removed)> wrote in

message
>> >news:2a4ff01c3923a$52e602b0$(E-Mail Removed)...
>> >> Hi All,
>> >>
>> >> I got stuck with the following situation. Haven't

been
>> >> able to find a solution for several days already,

>> though I
>> >> need it urgently. If anybody has any ideas, please

help!
>> >>
>> >> Here is the situation:
>> >> 1) "Default Domain Policy" -> "Log on as a batch job"
>> >> = "domainX\userA"
>> >>
>> >> 2) "Default Domain Controller Policy" -> "Log on as a
>> >> batch job"
>> >> = "domainX\administrator,domainX\UserB,domainX\userC"
>> >>
>> >> 3) Local Security Settings (on a Member Server, not a
>> >> DC): "Local Security Settings" -> "Log on as a batch

>> job"
>> >> = domainX\administrator,domainX\UserD,domainX\userE"
>> >> All have "LocalPolicySetting"

>> and "EffectivePolicySetting"
>> >> (dimmed) checkboxes checked.
>> >>
>> >> 4) Even when I uncheck "LocalPolicySetting" for userD

>> and
>> >> userE they still have "EffectivePolicySetting" set!
>> >>
>> >>
>> >> Questions.
>> >> 1) How do I find out where userD and userE came

from?? I
>> >> mean from which level of Group Policy did they
>> >> receive "Log on as a batch job" right??
>> >> 2)Why doesn't userA appear under member
>> >> server's "LocalPolicySetting" (It should come from

>> Default
>> >> Domain Policy, shouldn't it)??
>> >>
>> >> Any ideas are greatly appreciated!
>> >> Thank you.
>> >>
>> >> Valery.
>> >
>> >
>> >.
>> >

>
>
>.
>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Local Audit Policy effective rights piperni@gmail.com Microsoft Windows 2000 Group Policy 3 8th Jul 2006 05:49 AM
effective user rights Yvan LeTourneau Microsoft Access Security 2 5th Jan 2006 11:49 PM
Rights and Effective Permissions in XP Pro =?Utf-8?B?RGFub3I=?= Windows XP Security 2 31st Oct 2004 05:49 AM
Effective Rights Pat Microsoft Windows 2000 Security 5 30th Jan 2004 08:41 PM
Re: Effective rights for programs installation in Win2k domain controller Jerold Schulman Microsoft Windows 2000 Group Policy 0 25th Jun 2003 01:32 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 12:36 AM.