Can Group Policy Use Rules That Refer to Custom Local Groups?
- From: "Will" <westes-usc@xxxxxxxxxxxxxx>
- Date: Tue, 6 Dec 2005 15:21:56 -0800
Can group policy be used to populate each member server with rules that
include local groups that are not BUILTIN groups, but custom? For
example, we want to create a local group on each machine that builds a list
of users that are allowed to run as services (Logon as a Service right in
group policy). We want that group name to be standardized, something like
ServiceUsersGroup. The group policy would then give the Login as a
Service right to a group ServiceUsersGroup, and the contents of that group
gets administered locally since it is a local group.
The reason we wanted to do this is that we wanted to stop applications that
just automatically insert themselves into this right. We want the decision
to run as a service to be a conscious decision that we control and that
can't be done secretly. We also have some service userids that would be
defined at the domain level and would be able to run on any workstation, so
we need group policy for that as well, but we don't want to deny additional
users to be added for specific machines.
What we are finding is that if the local group doesn't exist on a particular
member server, then it appears that group policy simply kicks up a 1202
event code and stops trying to apply itself further.
Are we trying for a design here that Microsoft just didn't anticipate, or is
there a better way to accomplish the same requirements?
--
Will
.
- Prev by Date: Re: Blocking Outlook 2003 Menu Features
- Next by Date: When I install windows server2003 sp1
- Previous by thread: Re: Blocking Outlook 2003 Menu Features
- Next by thread: When I install windows server2003 sp1
- Index(es):
Relevant Pages
|
