Cannot change Effective Security

C

Carol

I have two AD domains with mostly Windows 2000 servers
(and a couple of NT4's still floating around). I have
never been able to change Local Security settings on the
W2K servers, in either domain, using the Local Security
Policy applet. At the moment I'm trying to give a domain
group the "Log on locally" right but the effective setting
remains resolutely unticked.

Now before you tell me to check domain policies - I have
never used domain policies, and just to make sure I went
onto the domain controller, looked in the domain policies,
and there's nothing set. I'm also not using group policies
or anything else that would effect the local security.

I used to get around this problem by modifying the local
security using User manager for Domains - that always
worked and the change was then reflected in Effective
Security Settings. But I don't know what I've done with
the version of usrmgr.exe I had that worked on W2k
servers. The newer versions helpfully tell me that they're
not to be used on W2K.

So what's going on? Why can't I chnage my security
settings?

Thanks,

Carol
 
S

Steven L Umbach

For domain controllers you will have to use the Domain Controller Security
Policy. User rights assignments are configured at that level and is the
reason you can not change settings via local policy. --- Steve
 
S

Steven L Umbach

OK. If the there are effective settings in the Local Security Policy, that
means that machine configuration settings are being inherited from
somewhere. You can use the gpresult tool and it can help you determine where
settings are being applied from. Another thing to try is to create an
Organizational Unit for your servers with it's own GPO that has the user
rights assignment configured to your needs and then move those server into
that OU. You would only need to configure that particular user right. All
other settings would be inherited from parent container by default. It may
also be a good idea to run netdiag on one of those server to make sure dns,
secure channel, domain membership, etc is correct.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321709
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Setting vs Effective Setting 2
Changing process priorities of normal users 3
Password Policy - Effective Settings 1
Security Settings 3
How to export W2K Effective Policy Setting? 7
can't modify local security settings 2
Where this Audit Polciy comming from? 4
Domain vs Domain Controller Security Policy 2

Top