How to audit User Rights Assignment (Log on Locally) settings on multiple servers automatically

T

trvlr911

I need to know how to find out what the "Log on locally" user right
settings are across multiple servers through some automated method.

My situation: I need to give a domain group the right to log on locally
to all our servers (500 Win2k/2003). I want to use an Active Directory
GPO but this replaces any values that are on the server already. There
are some servers out there that have one or two extra accounts that
need this privledge but I don't know which so if I deploy the GPO then
I'll break stuff.

My plan is to add a group in the GPO named something like LogOnLocally
and then on the servers that need some non-standard user to log on we
add them to this group.

The big problem is that I can't find any way to find out what the
existing setting for the Log On locally user right is on the servers
without going to each one.

Can someone help me with a way to script this or automate this somehow?
 
J

Jerold Schulman

I need to know how to find out what the "Log on locally" user right
settings are across multiple servers through some automated method.

My situation: I need to give a domain group the right to log on locally
to all our servers (500 Win2k/2003). I want to use an Active Directory
GPO but this replaces any values that are on the server already. There
are some servers out there that have one or two extra accounts that
need this privledge but I don't know which so if I deploy the GPO then
I'll break stuff.

My plan is to add a group in the GPO named something like LogOnLocally
and then on the servers that need some non-standard user to log on we
add them to this group.

The big problem is that I can't find any way to find out what the
existing setting for the Log On locally user right is on the servers
without going to each one.

Can someone help me with a way to script this or automate this somehow?
Click to expand...


I have no idea how to enumerate the right, but why not use the following,

ntrights +r SeInteractiveLogonRight -u "JSIINC\Accounts Payables" - m \\JSI003

Where JSIINC is the NetBIOS domain name and "Accounts Payable" is the domain group who should be allowed to logon
and \\JSI003 is a server.

You can download NTRIGHTS.EXE from the link at tip 6705 in the 'Tips & Tricks' at http://www.jsiinc.com

You can script the process for all servers using a technique similar to tip 7823.


Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
 
S

Steven L Umbach

I can't think of a command line tool offhand but dumpsec from SomarSoft may
work on remote computers depending on their configuration. Use the "dump
rights" option after selecting the remote computer. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Log on Locally problems 3
Deny log on locally on Windows NT 4.0 domain 2
User Rights Assignment 7
Cannot log on after demoting DC 2
Logon locally 3
Access denied for non-admins to remotely access app and sys logs 1
Access denied for non-admins to remotely access app and sys logs 1
can't log on locally 1

Top