unknown source of Effective Rights (User Rights Assignment)

Discussion in 'Microsoft Windows 2000 Active Directory' started by Valery M., Oct 14, 2003.

  1. Valery M.

    Valery M. Guest

    Hi All,

    I got stuck with the following situation. Haven't been
    able to find a solution for several days already, though I
    need it urgently. If anybody has any ideas, please help!

    Here is the situation:
    1) "Default Domain Policy" -> "Log on as a batch job"
    = "domainX\userA"

    2) "Default Domain Controller Policy" -> "Log on as a
    batch job"
    = "domainX\administrator,domainX\UserB,domainX\userC"

    3) Local Security Settings (on a Member Server, not a
    DC): "Local Security Settings" -> "Log on as a batch job"
    = domainX\administrator,domainX\UserD,domainX\userE"
    All have "LocalPolicySetting" and "EffectivePolicySetting"
    (dimmed) checkboxes checked.

    4) Even when I uncheck "LocalPolicySetting" for userD and
    userE they still have "EffectivePolicySetting" set!


    Questions.
    1) How do I find out where userD and userE came from?? I
    mean from which level of Group Policy did they
    receive "Log on as a batch job" right??
    2)Why doesn't userA appear under member
    server's "LocalPolicySetting" (It should come from Default
    Domain Policy, shouldn't it)??

    Any ideas are greatly appreciated!
    Thank you.

    Valery.
     
    Valery M., Oct 14, 2003
    #1
    1. Advertisements

  2. Valery M.

    Simon Geary Guest

    Do you have a copy of the Group Policy Management Console installed? This is
    ideal for troubleshooting problems such as this.
    http://search.microsoft.com/search/results.aspx?st=b&qu=gpmc&view=en-us

    Removing UserD and UserE from the local policy setting will have no effect
    if they are defined in a GPO. The GPO will override the local setting. Do
    you have any policies set at the site level? GPMC will allow you to quickly
    determine exactly what GPO's are being applied to a server.
    You can also run gpresult to give you an idea what is being applied.

    "Valery M." <> wrote in message
    news:2a4ff01c3923a$52e602b0$...
    > Hi All,
    >
    > I got stuck with the following situation. Haven't been
    > able to find a solution for several days already, though I
    > need it urgently. If anybody has any ideas, please help!
    >
    > Here is the situation:
    > 1) "Default Domain Policy" -> "Log on as a batch job"
    > = "domainX\userA"
    >
    > 2) "Default Domain Controller Policy" -> "Log on as a
    > batch job"
    > = "domainX\administrator,domainX\UserB,domainX\userC"
    >
    > 3) Local Security Settings (on a Member Server, not a
    > DC): "Local Security Settings" -> "Log on as a batch job"
    > = domainX\administrator,domainX\UserD,domainX\userE"
    > All have "LocalPolicySetting" and "EffectivePolicySetting"
    > (dimmed) checkboxes checked.
    >
    > 4) Even when I uncheck "LocalPolicySetting" for userD and
    > userE they still have "EffectivePolicySetting" set!
    >
    >
    > Questions.
    > 1) How do I find out where userD and userE came from?? I
    > mean from which level of Group Policy did they
    > receive "Log on as a batch job" right??
    > 2)Why doesn't userA appear under member
    > server's "LocalPolicySetting" (It should come from Default
    > Domain Policy, shouldn't it)??
    >
    > Any ideas are greatly appreciated!
    > Thank you.
    >
    > Valery.
     
    Simon Geary, Oct 14, 2003
    #2
    1. Advertisements

  3. Valery M.

    Valery M. Guest

    Thanks for the advise Simon,

    Following the topic:
    1) No policies at site level.
    2) I had already tried gpresult, but it gave me exactly
    what I expected: "The computer received settings from
    these GPOs: "Local Group Policy", "Default Domain Policy".
    3) I haven't tried GPMC yet.
    4) I suspect there could be an issue related to the fact
    that this member server (and the whole domain) have been
    upgraded from WinNT to Win2000 (I haven't been here that
    time). Is it possible that there are some User Rights from
    WinNT left in the system (registry?) after upgrading??

    Thank you for your time.
    Valery.


    >-----Original Message-----
    >Do you have a copy of the Group Policy Management Console

    installed? This is
    >ideal for troubleshooting problems such as this.
    >http://search.microsoft.com/search/results.aspx?

    st=b&qu=gpmc&view=en-us
    >
    >Removing UserD and UserE from the local policy setting

    will have no effect
    >if they are defined in a GPO. The GPO will override the

    local setting. Do
    >you have any policies set at the site level? GPMC will

    allow you to quickly
    >determine exactly what GPO's are being applied to a

    server.
    >You can also run gpresult to give you an idea what is

    being applied.
    >
    >"Valery M." <> wrote in message
    >news:2a4ff01c3923a$52e602b0$...
    >> Hi All,
    >>
    >> I got stuck with the following situation. Haven't been
    >> able to find a solution for several days already,

    though I
    >> need it urgently. If anybody has any ideas, please help!
    >>
    >> Here is the situation:
    >> 1) "Default Domain Policy" -> "Log on as a batch job"
    >> = "domainX\userA"
    >>
    >> 2) "Default Domain Controller Policy" -> "Log on as a
    >> batch job"
    >> = "domainX\administrator,domainX\UserB,domainX\userC"
    >>
    >> 3) Local Security Settings (on a Member Server, not a
    >> DC): "Local Security Settings" -> "Log on as a batch

    job"
    >> = domainX\administrator,domainX\UserD,domainX\userE"
    >> All have "LocalPolicySetting"

    and "EffectivePolicySetting"
    >> (dimmed) checkboxes checked.
    >>
    >> 4) Even when I uncheck "LocalPolicySetting" for userD

    and
    >> userE they still have "EffectivePolicySetting" set!
    >>
    >>
    >> Questions.
    >> 1) How do I find out where userD and userE came from?? I
    >> mean from which level of Group Policy did they
    >> receive "Log on as a batch job" right??
    >> 2)Why doesn't userA appear under member
    >> server's "LocalPolicySetting" (It should come from

    Default
    >> Domain Policy, shouldn't it)??
    >>
    >> Any ideas are greatly appreciated!
    >> Thank you.
    >>
    >> Valery.

    >
    >
    >.
    >
     
    Valery M., Oct 14, 2003
    #3
  4. Valery M.

    Simon Geary Guest

    Any leftovers from NT should be irrelevant as Group Policy should enforce
    the new user rights. You should definitely install the GPMC and check what
    settings are being applied from what policy

    Are there any services running on the member servers that run under the
    UserD or UserE accounts? When services run under an account they get granted
    the 'log on as a batch job' right by default.

    You may find this resource kit tool useful.
    http://support.microsoft.com/?id=279664

    "Valery M." <> wrote in message
    news:054c01c39257$6aec58b0$...
    > Thanks for the advise Simon,
    >
    > Following the topic:
    > 1) No policies at site level.
    > 2) I had already tried gpresult, but it gave me exactly
    > what I expected: "The computer received settings from
    > these GPOs: "Local Group Policy", "Default Domain Policy".
    > 3) I haven't tried GPMC yet.
    > 4) I suspect there could be an issue related to the fact
    > that this member server (and the whole domain) have been
    > upgraded from WinNT to Win2000 (I haven't been here that
    > time). Is it possible that there are some User Rights from
    > WinNT left in the system (registry?) after upgrading??
    >
    > Thank you for your time.
    > Valery.
    >
    >
    > >-----Original Message-----
    > >Do you have a copy of the Group Policy Management Console

    > installed? This is
    > >ideal for troubleshooting problems such as this.
    > >http://search.microsoft.com/search/results.aspx?

    > st=b&qu=gpmc&view=en-us
    > >
    > >Removing UserD and UserE from the local policy setting

    > will have no effect
    > >if they are defined in a GPO. The GPO will override the

    > local setting. Do
    > >you have any policies set at the site level? GPMC will

    > allow you to quickly
    > >determine exactly what GPO's are being applied to a

    > server.
    > >You can also run gpresult to give you an idea what is

    > being applied.
    > >
    > >"Valery M." <> wrote in message
    > >news:2a4ff01c3923a$52e602b0$...
    > >> Hi All,
    > >>
    > >> I got stuck with the following situation. Haven't been
    > >> able to find a solution for several days already,

    > though I
    > >> need it urgently. If anybody has any ideas, please help!
    > >>
    > >> Here is the situation:
    > >> 1) "Default Domain Policy" -> "Log on as a batch job"
    > >> = "domainX\userA"
    > >>
    > >> 2) "Default Domain Controller Policy" -> "Log on as a
    > >> batch job"
    > >> = "domainX\administrator,domainX\UserB,domainX\userC"
    > >>
    > >> 3) Local Security Settings (on a Member Server, not a
    > >> DC): "Local Security Settings" -> "Log on as a batch

    > job"
    > >> = domainX\administrator,domainX\UserD,domainX\userE"
    > >> All have "LocalPolicySetting"

    > and "EffectivePolicySetting"
    > >> (dimmed) checkboxes checked.
    > >>
    > >> 4) Even when I uncheck "LocalPolicySetting" for userD

    > and
    > >> userE they still have "EffectivePolicySetting" set!
    > >>
    > >>
    > >> Questions.
    > >> 1) How do I find out where userD and userE came from?? I
    > >> mean from which level of Group Policy did they
    > >> receive "Log on as a batch job" right??
    > >> 2)Why doesn't userA appear under member
    > >> server's "LocalPolicySetting" (It should come from

    > Default
    > >> Domain Policy, shouldn't it)??
    > >>
    > >> Any ideas are greatly appreciated!
    > >> Thank you.
    > >>
    > >> Valery.

    > >
    > >
    > >.
    > >
     
    Simon Geary, Oct 14, 2003
    #4
  5. Valery M.

    Valery M. Guest

    I have installed GPMC on a separate WinXP PC, but
    unfortunately our Member server is Win2000 server and GPMC
    tells me that "The selected computer doesn't support RSoP
    logging, Rsop logging support is available in operating
    system release after Windows 2000".

    Best Regards,
    Valery.

    >-----Original Message-----
    >Any leftovers from NT should be irrelevant as Group

    Policy should enforce
    >the new user rights. You should definitely install the

    GPMC and check what
    >settings are being applied from what policy
    >
    >Are there any services running on the member servers that

    run under the
    >UserD or UserE accounts? When services run under an

    account they get granted
    >the 'log on as a batch job' right by default.
    >
    >You may find this resource kit tool useful.
    >http://support.microsoft.com/?id=279664
    >
    >"Valery M." <> wrote in message
    >news:054c01c39257$6aec58b0$...
    >> Thanks for the advise Simon,
    >>
    >> Following the topic:
    >> 1) No policies at site level.
    >> 2) I had already tried gpresult, but it gave me exactly
    >> what I expected: "The computer received settings from
    >> these GPOs: "Local Group Policy", "Default Domain

    Policy".
    >> 3) I haven't tried GPMC yet.
    >> 4) I suspect there could be an issue related to the fact
    >> that this member server (and the whole domain) have been
    >> upgraded from WinNT to Win2000 (I haven't been here that
    >> time). Is it possible that there are some User Rights

    from
    >> WinNT left in the system (registry?) after upgrading??
    >>
    >> Thank you for your time.
    >> Valery.
    >>
    >>
    >> >-----Original Message-----
    >> >Do you have a copy of the Group Policy Management

    Console
    >> installed? This is
    >> >ideal for troubleshooting problems such as this.
    >> >http://search.microsoft.com/search/results.aspx?

    >> st=b&qu=gpmc&view=en-us
    >> >
    >> >Removing UserD and UserE from the local policy setting

    >> will have no effect
    >> >if they are defined in a GPO. The GPO will override the

    >> local setting. Do
    >> >you have any policies set at the site level? GPMC will

    >> allow you to quickly
    >> >determine exactly what GPO's are being applied to a

    >> server.
    >> >You can also run gpresult to give you an idea what is

    >> being applied.
    >> >
    >> >"Valery M." <> wrote in

    message
    >> >news:2a4ff01c3923a$52e602b0$...
    >> >> Hi All,
    >> >>
    >> >> I got stuck with the following situation. Haven't

    been
    >> >> able to find a solution for several days already,

    >> though I
    >> >> need it urgently. If anybody has any ideas, please

    help!
    >> >>
    >> >> Here is the situation:
    >> >> 1) "Default Domain Policy" -> "Log on as a batch job"
    >> >> = "domainX\userA"
    >> >>
    >> >> 2) "Default Domain Controller Policy" -> "Log on as a
    >> >> batch job"
    >> >> = "domainX\administrator,domainX\UserB,domainX\userC"
    >> >>
    >> >> 3) Local Security Settings (on a Member Server, not a
    >> >> DC): "Local Security Settings" -> "Log on as a batch

    >> job"
    >> >> = domainX\administrator,domainX\UserD,domainX\userE"
    >> >> All have "LocalPolicySetting"

    >> and "EffectivePolicySetting"
    >> >> (dimmed) checkboxes checked.
    >> >>
    >> >> 4) Even when I uncheck "LocalPolicySetting" for userD

    >> and
    >> >> userE they still have "EffectivePolicySetting" set!
    >> >>
    >> >>
    >> >> Questions.
    >> >> 1) How do I find out where userD and userE came

    from?? I
    >> >> mean from which level of Group Policy did they
    >> >> receive "Log on as a batch job" right??
    >> >> 2)Why doesn't userA appear under member
    >> >> server's "LocalPolicySetting" (It should come from

    >> Default
    >> >> Domain Policy, shouldn't it)??
    >> >>
    >> >> Any ideas are greatly appreciated!
    >> >> Thank you.
    >> >>
    >> >> Valery.
    >> >
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
     
    Valery M., Oct 15, 2003
    #5
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Otis

    Password lockout policy not effective

    Otis, Jul 4, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    604
    Joe Richards [MVP]
    Jul 4, 2003
  2. Richard Eaves

    Scripted homedrive and homedirectory settings NOT effective

    Richard Eaves, Feb 17, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    200
    Richard Eaves
    Feb 17, 2004
  3. diane walker

    Effective Setting Under Local Security Settings

    diane walker, Mar 2, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    672
    diane walker
    Mar 3, 2004
  4. Ronnie Harper

    ADMT and Local User Rights Assignment Policy

    Ronnie Harper, Jun 28, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    0
    Views:
    192
    Ronnie Harper
    Jun 28, 2004
  5. YMan

    File access rights assignment

    YMan, Aug 22, 2005, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    163
    Cary Shultz [A.D. MVP]
    Aug 22, 2005
Loading...

Share This Page