Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU

---

• From: "kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
• Date: Wed, 16 Jan 2008 19:27:17 -0700

---

California SBS Dreaming wrote:

I think this thread is getting too long and the taks I want to really
do is beginning to get more complicated than it should be. All I want
to be able to do is manage the local policies on the member server
and not have it defined by the SBS server. I created a new OU at the
same level as MyBusiness and called it MyCitrix. I thought that was
all that was needed. When I log onto the member server and open the
local policy editor I cannot manage the "log on locally" and the "log
on as a service" policies. These are being defined by the SBS server.
A few simple questions here.
Did I create the new OU - MyCitrix at the wrong level?
How or what do I need to do to be able to manage these policies on the
member server?

This is was my point. To the best of my knowledge only domain controllers
have a group policy that defines 'log on locally'. If your 'server' is a
domain controller, then that is appropriate. If it is just a member server,
and it hasn't been inadvertainly placed in the domain controllers OU, then
it should not have that policy. Unless someone changed the 'out of the box'
settings of course.

If you want some help diagnosing *why* then your participation is needed.

1) Is the server a DC or *not*? (If you're not sure, we can help you make
that determination.)

2) On the memeber server, at a command prompt, type the line below. Then
post the gpresult.txt file here.

gpresult /scope computer /z>gpresult.txt

This will detail which policy is setting the 'log on locally'

"MyCitrix" ? Is there something else "special" about this server?

"Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx> wrote in message
news:6A5699D0-3DB7-4DB0-91E6-200FF822C98A@xxxxxxxxxxxxxxxx

Ahh, I understand now.

You can create a new OU at the same level (or another, but I'd keep
it within the My Biz structure) create and apply GP with the
settings you want to that OU, and drag the computer object into that
OU. Or, there are other ways.



--
Les Connor [SBS MVP]


"California SBS Dreaming" <noreply@xxxxxxxxxxx> wrote in message
news:uxyXkSIWIHA.3420@xxxxxxxxxxxxxxxxxxxxxxx

For most policies yes I can. But the two I'm concerned about and
need to manage are "allow to log on locally" and "log on as a
service". These services the "Add" option is greyed out because
they are define and inherited from the SBS server. I'm afraid you
do not quite understanding my post Les. I have no problems creating
the local account on the member server. I need to able to add this
local account to the local policy. Hence my reasoning to moving it
out of the MyBusiness OU. I don't want the member server to get the
ploicies from the SBS server. "Les Connor [SBS MVP]"
<les.connor@xxxxxxxxxxxx> wrote in message
news:9F2399E5-6A87-4E97-8D42-68267F061F31@xxxxxxxxxxxxxxxx

If you log onto the member server, and right click my computer >
manage, do you not see local users and groups? Can you not add a
local user here, and/or add a domain user account to the local
user group? --
Les Connor [SBS MVP]


"California SBS Dreaming" <noreply@xxxxxxxxxxx> wrote in message
news:Opng5cGWIHA.5208@xxxxxxxxxxxxxxxxxxxxxxx

Les,
Thank you for you for taking the time and your input. I stated in
my post that this program "requires" a local non admin account.
It will not work with a domain account. This W2K3 server is a
member server only. So I need to be able to grant this local
account the right to "log on as a service" on the local machine.
Hence the reason why I need to be able to manage the local group
policy on the server. "Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx>
wrote in message
news:091C6019-18FA-43D1-A329-9FD15635F5EB@xxxxxxxxxxxxxxxx

Is the member server a DC? If so, it has no local users. I'd
suggest it shouldn't be a DC, but even so, you should be able to
create and use a domain user account for the service.

--
Les Connor [SBS MVP]


"California SBS Dreaming" <noreply@xxxxxxxxxxx> wrote in message
news:O6jT7u7VIHA.5348@xxxxxxxxxxxxxxxxxxxxxxx

I am running SBS 2003 Premium SP1. I've also got a W2K3
Standard SP1 server that is part of the SBS domain. I need to
install an application that requires a non administrative
"local" account and given the right to "log on as a service" on
the local machine. Well my issue is that because the W2K3 server is
in the SBS
MyBusiness OU it inherits the GPO from the SBS server and of
course we all know that I cannot add a local machine account to
allow it to "log on as a service". I also cannot edit or add a
local machine account to the local policies. OK not a problem I
said. I'll just create a new OU and move the W2K3 server there
which I did. My problem is that I still cannot add or edit the
"log on as a service" on the local machine. It appears to still
be inheriting it's policies from the SBS server. I think my
problem is that I may have created the new OU at the wrong
level of the forest. The SBS "MyBusiness" OU resides on the
tree under domain.local which is the same level where I create
this new OU and moved the W2K3 server to. I want to be able to
control local policies on the W2K3 server. Did I create the OU
at the wrong level of my forest tree?

--
/kj


.

---

• Follow-Ups:
  • Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
    • From: California SBS Dreaming

• References:
  • Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
    • From: California SBS Dreaming
  • Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
    • From: California SBS Dreaming
  • Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
    • From: Les Connor [SBS MVP]
  • Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
    • From: California SBS Dreaming
  • Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
    • From: Les Connor [SBS MVP]
  • Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
    • From: California SBS Dreaming

• Prev by Date: Re: Setting up server to push mail to phone
• Next by Date: Re: SBS 2003, Linksys Wireless Router & XP Notebook
• Previous by thread: Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
• Next by thread: Re: Move W2K3 server to it's own OU seperate from SBS (MyBusiness) OU
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Remote access to member server ... access the system he gets an account he is responsible for the actions of. ... The 'member server' is, according to the original post, also TS Apps mode. ... years we VPN'd to the SBS 2000 servers, then RDP to the ip of our ... (microsoft.public.windows.server.sbs) RE: Getting alot of these emails ... Thank you for posting in the SBS newsgroup. ... this issue can occur if your SBS 2003 server is ... Disable the Guest account in your SBS 2003 server and enable Stronger ... Microsoft is providing this information as a convenience to you. ... (microsoft.public.windows.server.sbs) RE: Help .. Small Business Server Error may be DNS ? ... Thank you for posting in SBS newsgroup. ... issue can occur when you restart the SBS 2003 server. ... resource from the network with a bad password or an account that was locked ... (microsoft.public.windows.server.sbs) Re: connect computer setup fails ... The administrator account you use to login - this is an account with ... Les Connor [SBS MVP] ... > willswing01 is the SBS server. ... (microsoft.public.windows.server.sbs) Re: SMB2K3 Prem: Setup with Dynamic DNS Service TZO ... SBS 2003 DDNS and Email Setup Procedure... ... DDNS account so that you can always have access to your server, ... The preferred network setup is 2 NICs in the SBS server plus a router. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)