Can't Modify Local Security Setting - Windows XP SP 2

[theburnetts]

I have a Win XP SP 2 machine that is part of a domain. I am an end
user (not a sys admin). I am also a software developer and am having
problems because periodically the powers that be that control our
network will push down new security restrictions or possibly new group
policies that will reset or modify the configuration of my machine.
Currently I am having a problem with using Visual Studio in debug mode.
It says that I don't have the correct permissions. I have traced it
to a particular Local Security setting. Here is what I am trying to
do...

1. In Administrative Tools click on Local Security Policy
2. Now click on User Rights Assignment in Local Policies
3. Now double click the Debug Programs setting.
4. I should be able to add the Administrators group for this setting
so that I can debug. Currently this setting is blank and has no users
or groups listed. However...

The buttons for "Add User or Group" and "Remove" are both grayed out.
Also there is an Information message in the dialog box that says the
following: "This setting is not compatible with computers running
Windows 2000 Service Pack 1 or earlier. Apply Group Policy objects
containing this setting only to computers running a later version of
the operating system."

Strange. It seems like the system thinks that this is an old Windows
2000 machine and not a Win XP SP 2 machine. I would really like to be
able to change the Debug Programs policy setting so that I can get my
debugging to work again. I did this once before on this machine and it
worked. But now I can't change the setting. Is there any way that I
can modify this setting? I have Googled extensively with no luck yet.

Thanks for any help,
Corey

 

[Steven L Umbach]

Being grayed out means that user right is being enforced by a domain/OU
level policy and is overriding that setting in Local Security Policy. You
can run the support tool rsop.msc to see what Group Policy restrictions are
being applied to the computer/user and what GP is applying the setting. You
will need to talk to the administrators stating your case to see if they can
reconfigure for you which can be easily done possibly creating an OU just
for your computer. The stuff about "This setting is not compatible" is
simply FYI for whoever is configuring Group Policy in case they are
configuring it at the domain/OU level so that they will know what operating
systems it applies to. --- Steve

 

[theburnetts]

Thanks for the repy and the clarification. I have talked to someone at
the help desk and they are looking at the situation. He said that the
solution may be to remove my computer from the domain. I don't really
have any network resources that I need to worry about and I can still
get Outlook to connect to the Exchange server even if my computer is
not part of the domain. If they remove my computer from the domain
will that remove the Group Policy restrictions so that I can modify
that setting?

Thanks,
Corey

 

[Steven L Umbach]

Yes once the computer is removed from the domain and rebooted you should be
able to configure anything in Local Security Policy assuming you are a local
administrator which it sounds like you are. --- Steve

 

[theburnetts]

Steven, I have talked with my domain administrator and he said that
they are going to remove me from the domain. However he said that
removing me from the domain will *not* remove the Group Policy
restrictions. He said that it will be up to me to change any policies
locally on my machine. The way that he explained it is that if I just
create a local account on my PC and always log in to that local account
instead of logging on to my domain account then that should fix my
problem because the system will not refresh the domain policies. So
his instructions were for me to log on to a local administrator level
account on my PC. Then I should be able to change the local policies
to whatever I want. As long as I don't ever log on to my domain
account then the policies will never get switched back. The problem is
that even when I log on to a local account (which has administrative
rights) I don't have the ability to modify any of the User Rights
Assignments. He was kind of baffled as to why that account didn't have
the ability to modify the User Rights Assignments.

One thing that didn't make sense to me was that they said that they
were going to remove my PC from the domain remotely. I guess on the
domain controller they were going to remove my PC from the domain. But
I would assume that I would have to remove my PC from the domain also
on my computer, wouldn't I and change it to a workgroup? Currently
when I try to do that I don't have permission to do that.

I know I have a lot of questions but I am a bit confused now and very
frustrated with the domain security policies. It is a huge government
Active Directory and for right now they don't have any good way of
handling developers who need more permissions on their own PCs. Thanks
in advance for any help you can give me.

Corey

 

[theburnetts]

I have figured it out. I was able to successfully remove myself from
the domain. Once I did that, it did indeed remove all of the Group
Policies that had come from the domain. I was confused because when I
went to remove myself from the domain it prompted me for a user name
and password that had rights to remove the computer from the domain. I
assumed that this was looking for a domain administrator account.
However my local user had the necessary rights.

Thanks,
Corey

 

[Steven L Umbach]

If you logon to your computer as a local administrator you will not be
subject to "user configuration" Group Policy settings that are applied at
the domain level but you still will not be able to configure user rights
that are configured at the domain level because user rights are "computer
configuration" and apply whether or not you logon as a domain user as long
as the computer is a domain member so that is what is happening. If you
logon as a local administrator you should be able to remove your computer
from the domain even if it can not contact a domain controller but be SURE
you are logging on as a local computer account because your domain user
account will no longer allow your to logon to your computer once removed
from the domain. --- Steve

 

[Steven L Umbach]

Cool. Glad you got it sorted out and thanks for reporting back. --- Steve