logon locally to DC

[Ovvy]

What is the best way to allow a user to install software
etc etc to a domain controller but not adding member of
domain admins.
Im member server is just adding the account to local admin
groups but there is none in DC.

Please advise

 

[a-chadl [MSFT]]

| What is the best way to allow a user to install software
| etc etc to a domain controller but not adding member of
| domain admins.
| Im member server is just adding the account to local admin
| groups but there is none in DC.
|
| Please advise
|
|
|

Ovvy,

The easiest way is to go into Active Directory Users and Computers. Right
click on the Domain Controllers OU and click on Properties. Then click on
the Group Policy tab. You can either modify the Default Domain Controllers
policy or create a new policy. Microsoft recommends not making
modifications to the Default Domain Controllers policy. Therefore, create a
new policy and name it 'Logon Locally', then edit the policy. Navigate to
Computer Configuration > Windows Settings > Security Settings > Local
Policies > User Rights Assignment. In here you will find a policy that will
allow you to define who has Log on Locally rights. Add the users you want
but also make sure you add Account Operators, Administrators, Backup
Operators, Print Operators, and Server Operators. This will duplicate the
users that are being allowed by the Default Domain Controller Policy.

Chad A. Lacy
Windows 2000 Directory Services

==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Ovvy]

Thanks for th reply!
I did all the instruction very straightforward, I
appreciate that however still user cannot login.there is
this error "Local policy of this machine does not allow
you to login interactively" I run GPRESULT and got this
- localy policy
- Logon_locally(policy I defined for DC OU)
- domain controllers Policy
- Default domain Policy

What am I missing here looks like my policy been
overwriten by domain controllers then by default domain
policy?
Please advise!
More power

 

[Guest]

I had the same problem recently. You must set the user's rights in the user's rights assignments. Once you are in the user rights assignments area as described in earlier posts you will see, on the right hand side, the rights that exist for the domain. Not only do you have to change the rights, you must add the appropriate user and the appropriate user from the appropriate "organization". For instance

If you had an organizational unit called "MyBuiz", you may have users for both the default and MyBuiz. The difference lies in the members active directory folder description: defaultdomain/group vs. defaultdomain/mybuiz/group. The user from the default organizational unit may not have rights in MyBuiz and vice-versa.

I am not an expert but I did notice that the install of WindowsSBS from the computer manufacturer already had an MyBuiz organizational unit. For some reason, probably me, the MyBuiz organizational unit caused problems. I removed it, then added the user, then set the rights and then I could login locally. I DON'T RECOMMEND REMOVING THE ORGANIZATION UNIT!!! Instead (fiddle with) make sure the user is added to the correct organizational unit and that the rights you change use that user (domain/organizational_unit/group NOT domain/group). Get my drift