Networks·41,395 discussions

How do I apply local group membership changes without logging in?

Locked

Hello,

I am trying to change a local user’s group memberships on a production server running Windows 2008 Server. This I am able to do. However, when changing the membership, a message indicates that the user must log in to the server for the changes to take effect. Unfortunately, this user does not have access to remote desktop into the server, and as it is a production server it would probably not be a good idea to enable this access.

Is there any way I can apply local group membership changes without the user needing to log in afterwards?

Thanks in advance.

Topic

Clarifications

In reply to How do I apply local group membership changes without logging in?

Clarifications

wait… what?

In reply to How do I apply local group membership changes without logging in?

Let me get this straight. You want to create local policies on a server for a user who is not allowed to log on locally to the server?

Usually, when a user logs in remotely they use a domain account…

If you don’t know the difference between domain policy and local policy you need to set down the admin password and back away from the terminal slowly. It is not something to be taken lightly. It’s easy to set up policies that do nothing and policies that have unintended consequences.

Read this:
http://technet.microsoft.com/en-us/library/cc757601(WS.10).aspx

Near the end it covers local vs. domain policy and the outcome.

Clarification

In reply to How do I apply local group membership changes without logging in?

I am normally a web application developer, so all of this is rather new to me. My main concern is to do things the right way.

To give you some background, we have a Windows console application that runs through a Scheduled Task under a dedicated service account on a batch server. This service account was set up to be a member of the Administrators group on the batch server. I have been asked to remove this account from the Administrators group and add it to the custom Batch Job Users group.

I hope my question makes more sense now.

Does this help?: Log on to the server doesn’t mean RDP in any way.

In reply to How do I apply local group membership changes without logging in?

This machine with the user account you just changed is part of a domain, right? When in use, it is normally connected to the domain, yes? If so, when a user logs on, they log on to the domain.

Regardless, what you must do is go to the computer, log off the now defunct Admin account, and log on the new user account. It is apparently not logged on. When this domain logon occurs, all policy changes will be applied to the account.

Resolution

In reply to How do I apply local group membership changes without logging in?

Thank you for your answers.

I am not in a position to log in with the service account without using RDP as I have no physical access to the server.

From discussions with colleagues who have more experience with sys admin functions, I have found that the group membership changes will apparently be applied when the scheduled task next runs as the service account, which solves my problem.

[Author]

Replies