Networks

Let me get this straight. You want to create local policies on a server for a user who is not allowed to log on locally to the server?

Usually, when a user logs in remotely they use a domain account...

If you don't know the difference between domain policy and local policy you need to set down the admin password and back away from the terminal slowly. It is not something to be taken lightly. It's easy to set up policies that do nothing and policies that have unintended consequences.

Read this:
http://technet.microsoft.com/en-us/library/cc757601(WS.10).aspx

Near the end it covers local vs. domain policy and the outcome.

I am normally a web application developer, so all of this is rather new to me. My main concern is to do things the right way.

To give you some background, we have a Windows console application that runs through a Scheduled Task under a dedicated service account on a batch server. This service account was set up to be a member of the Administrators group on the batch server. I have been asked to remove this account from the Administrators group and add it to the custom Batch Job Users group.

I hope my question makes more sense now.

This machine with the user account you just changed is part of a domain, right? When in use, it is normally connected to the domain, yes? If so, when a user logs on, they log on to the domain.

Regardless, what you must do is go to the computer, log off the now defunct Admin account, and log on the new user account. It is apparently not logged on. When this domain logon occurs, all policy changes will be applied to the account.

Thank you for your answers.

I am not in a position to log in with the service account without using RDP as I have no physical access to the server.

From discussions with colleagues who have more experience with sys admin functions, I have found that the group membership changes will apparently be applied when the scheduled task next runs as the service account, which solves my problem.