Effective Policy Setting for IWAM_Machinename account

[Chris]

I receive this error message every so often when trying to run a ISAPI
application in HIGH mode on IIS5 (win 2000 server)...

DCOM got error "Logon failure: the user has not been granted the requested
logon type at this computer. " and was unable to logon .\IWAM_NT_ISA01 in
order to run the server:

{167A80F6-04DB-4883-9958-C04FD265AA28}


I have found a knowledge base article that tells me that I need to give
IWAM_MachineName account "Logon as a batch job" rights...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;297519

But at the end it says...

1.. On the Administrative Tools menu, expand Local Security Policies.
2.. Select User Rights Assignment.
3.. Select the IWAM_MACHINENAME and IUSR_MACHINENAME accounts.NOTE: If
domain level policy settings are defined, they override local policy
settings. Make sure that the Effective Policy Setting is also selected (this
setting is dimmed). Contact your domain administrator if this setting is not
selected.

How do I make the Effective Policy Setting selected? On the Domain
Controller machine (a different win 2000 server) there is no way to select
the user IWAM_MachineName because it is a user local the the web server
machine.

Can anyone tell me how to get this "Logon as batch job" in the Effective
Policy Setting.

Thanks,
Christopher.

 

[Steven L Umbach]

You could create an OU for that computer and move it into it. Then create a
new GPO for the OU. Then add the accounts you need to that user right. Everything
else in the GPO will be undefined, but that particular user right you configure will
override the domain policy and show up as your "effective" setting. Do not "browse"
for those account names, just type/copy them into the add box. --- Steve

 

[Chris]

Thanks for your reply Steve,

Sorry, I'm a bit new to this stuff. Can you tell me what an OU and a GPO is
so that I can find out how to create them.

Thanks,
Christopher.

 

[Steven L Umbach]

Just to verify for me. That computer is in a domain and you have domain
administrative rights? --- Steve

 

[Steven L Umbach]

OK. An OU or Organizational Unit is an Active Directory container for the purpose of
logically segmenting a domain for the purpose of divisions/geography [East/West,
Sales/Marketing, etc], delegating authority, or applying unique Group Policy. Anyhow
you could create one for your server, move the server into it, create and configure a
Group Policy for it that would accomplish your need. First go to Active Directory
Users and Computers management console and expand the domain. Right click the domain
and select new/Organizational Unit. Name it something appropriate. Then right click
you new OU and select properties/Group Policy/new. You will see "new Group Policy
Object" appear. Name it something appropriate and then select the new Group
Policy/edit. Then go to computer configuration/Windows settings/security
settings/local policies/user rights assignments. Find the setting you are looking for
"log on as batch job" and add the account that you want to have that right - do not
browse for it, just type it in and hit OK for both boxes and the account should then
appear. Now move your server into that OU. Right click the server and select move [I
am assuming this is not a domain controller]. The on the domain controller run
secedit /refreshpolicy machine_policy /enforce. If a reboot of it is not too
difficult for the domain controller do that also. After that do the same on your IIS
server - secedit /refreshpolicy machine_policy /enforce and reboot if possible. Then
check your Local Security Policy settings again and the "log on as batch job" for
that account should show as effective setting. --- Steve