Can I control local group using Group Policy?

By TeeDee74 ·
I am having a bit of a nightmare trying to get a solution to my problem. Here it is:

We have multiple customers who each create local accounts on their servers in order to run a specific service, i.e. grant the "Log on as a service" right.

This will work just fine until the Group Policy comes along 90 minutes or so later and, as the "Log on as a service" right is empty, the rights are removed from that user

I have tried using Restricted Groups in GP to try and add a local group (to which the user running the service is a member) to the local administrators group, but this just gave me 1202 0x4b8 errors in Windows when applying the policy, which I guess is because I'm doing something I can't?

No matter which way I cut it, I don't seem to be able to get an answer which will work.

ANY help would be appreciated, before I go mad!


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by CG IT In reply to Can I control local group ...

because Group Policy is applied in a specific order local machine, Site, Domain and OU, policies on the local machine are overridden by site, domain or OU policies.

you can configure a polcy with an no override.

Collapse -


by TeeDee74 In reply to Override

Thanks for your answer, but I understand the ordering process, and I don't believe it makes any difference to what has been going on in this case. The restricted group I attempted to create to add the local group to the administrators group ran at the OU level anyway. I suspect it failed because of what I was trying to do, namely, add another local group to the local administrators group. I believe W2K3 simply does not permit this, at least locally? Hence me trying to do the same via a GP. If I *could* add my group on the local administrators group, then I can add that built-in to my "Logon as a service" right in the GPO and I would achieve my goal.

Collapse -

A rash of Restricted Group questions....

by CG IT In reply to Ordering

Restricted Groups restrict who can be a member of that group. If the user is not on the members list, they are automatically removed. That includes "members of" list. Those in the Members Of listing that are not in the members list are removed. Any user may be a "member of" , but if they aren't members well, as I said, their removed.

Related Discussions

Related Forums