GPO- Local DC logon

B

bpereira

Hi guys!

Why can’t I change the allow log on locally on my dc?

Running win 2k3 st. ed. I’m domain admin.

Thx
 
M

Mike Shepperd

Are you making the change in the Default Domain Controller Policy? If you
make it in any other policy at a higher level, the DDCP will apply last and
potentially overwrite the permissions previously laid down.
 
M

Mike Shepperd

I'm assuming that you've read the KB article listed in the dialog box
(823659) which describes why it's not a good idea to allow "Log on Locally"
for Authenticated Users on your DC. If you still want to make the change,
I'm not sure why it's not allowing it through the dialog, but you should be
able to manually edit the gpttmpl.ini file in the Default Domain Controller
Policy folder tree.

I don't have access to one of my DC's right now, but you'll find it if you
look under the policy folder with the GUID that starts with "{6AC..." You
basically add the SID for the Authenticated Users group (below) to the
SeInteractiveLogonRight Right listed in the file.

SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were
authenticated when they logged on. Membership is controlled by the operating
system.
 
B

bpereira

I'm assuming that you've read the KB article listed in the
dialog box
(823659) which describes why it's not a good idea to allow
"Log on Locally"
for Authenticated Users on your DC. If you still want to make
the change,
I'm not sure why it's not allowing it through the dialog, but
you should be
able to manually edit the gpttmpl.ini file in the Default
Domain Controller
Policy folder tree.

I don't have access to one of my DC's right now, but you'll
find it if you
look under the policy folder with the GUID that starts with
"{6AC..." You
basically add the SID for the Authenticated Users group
(below) to the
SeInteractiveLogonRight Right listed in the file.

SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities
were
authenticated when they logged on. Membership is controlled by
the operating
system.

--
Mike Shepperd
MCSE NT4, 2000, 2003
NewFuture Consulting
Seattle, Washington
Click to expand...

Thanks for your help, but I can’t find this file: gpttmpl.ini.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Mystery Threads - How do you find out where they come from? 2
GPO not applying. Please help 1
Domain user can't change password 5
Multiple password policies 2
Selecting more cells than I want 6
Group Policy not applying over Network to XP users 4
Scheduled task when switching to battery mode 1
Problems with 'startup script' running via GPO. 1

Top