GPO delivered User rights for unique local account.

[Guest]

How do I create a GP for a Windows 2000 server that enables a local user on
that server to gain certain User rights eg Log on locally?.Our MS standard
server baseline policy removes any installed User rights and we need to
reinstate them for certain servers.
I understand that with 2003 server one can install the GPMC and create/edit
a GPO and add local accounts to that GPO, but GPMC is not compatable with
W2K....

Any help would be gratefully received.

 

[Steven L Umbach]

You could simply edit Local Group Policy/local policies/user rights on the
server or edit the Group Policy that enforces user rights for that server.
In Windows 2000 you can use Active Directory Users and Computers to access
Group Policy. Right click the container such as the domain/OU, select
properties, and then Group Policy. If you have an XP Pro computer in the
domain you can install GPMC on it to manage Group Policy in the Windows 2000
domain. You will need to logon as a domain administrator however so make
sure it is a secure admin workstation. You can use the support tool
gpresult to see what Group Policies are being applied to a computer. ---
Steve

 

[Guest]

Thank you Steve.

Your comment about Windows 2000 AD Users and Computers put me on the right
track. I can now add server specific local accounts to GPs, but to do so I
have to install Adminpak and patch it to fix a "truncation" error (842933).
Is there an easier way to load AD Users and Computers than installing the
entire adminpak on every server that needs unique GPs?

BTW Local policy is overridden by Site, the Domain etc, so that option
wouldn't work... but thanks anyway.

Also my Logon Message /caption on 2000 boxes gets truncated.... any ideas?

 

[Roger Abell [MVP]]

You do not need to install adminpak to alter GPO settings, and you only
need the tools on the machines from which you will be managing the GPO
settings (not all machines impacted by the GPOs).
If you were to use gpedit (as from an adminpak install) on a XP Pro at SP2
you would not need to apply the patch for string lengths as with W2k.

By the way, you are starting down a slippery road.
For server A you now need LocalAccountA1 in a certain user right.
Next for server B you need LocalAccountB1 in some user right.
etc.

Eventually you end up with a GPO for each server just to deliver these.
Some people opt for not setting those policies (as some user rights) that
are per-machine unique (or close to per-machine) by means of GPOs
but instead use only Local Policy for them.

One way of doing this that I have found is to define local groups on
each machine, like LocalLogin, NetLogin, etc. where the point is that
the group exists with the same name on each machine. Then one GPO
can be used to define these user rights using these machine local group
names, and as far as GPO is concerned it does not matter that the
local groups have different memberships per machine.

Now, if you look back, both of those alternatives are no different.
Whether one gives up on the per-machine unique and handles it in
local group policy or if one used uniformly named machine local
groups, what one has done is relinquish central guaranteed control.

The only good alternative to central management of per-machine
unique policy settings is purchase of third-party extensions of the
group policy system.