David Overton's Blog and Discussion Site
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small
Random Musings of an SME IT Consultant....... » Enabling Log on as a Service for a local user

This blog is purely the personal opinions of David Overton. . If you can't find the information you were looking for e-mail me at admin@davidoverton.com. If you want to narrow down the content consider these links:

Wikio - Top Blogs - Technology

Enabling Log on as a Service for a local user

I came across a situation on our network where we needed to give a local user the right to "Log on as a Service" on one of our servers. This was to support a LOB application that we run on a server here in our office. The problem I had was that for both the "Log on as a service" and the "Log on as a Batch job" the "Add User or Group" button was greyed out. This is because our SBS 2003 box has a Domain Group Policy which sets the rights to these services at a Domain level and stops any changes being made elsewhere.

To get around this I did the following:

1) Logon to the server in question as Domain Administrator. Open up the Active Directory Users & Computers (ADUC) snap-in.
2) Right click on the Domain and choose Properties. Click on the Group Policy tab and open the group policies. You have to do this unless you install the GPMC on the server.
3) Create a new Group Policy and name it something appropriate.
4) Navigate to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
5) Double click on the item you want to alter and click on Add User or Group.
6) Click on Browse and change the From this Location to the local machine (if you don't do this you only see domain users)
7) Enter the username (or click the Advance button - I'm not going into how to use that here)
8) Click OK a few times until you see the local username in the Properties box.

Now you need to set this GPO so that it only applies to the machine in question. You can do this through permissions, but I decided to do it via a WMI Filter.

1) On your DC with the GPMC installed right-click on the WMI Filter item and choose New.
2) Give it a meaningful name and description and click on Add.
3) You don't need to change the namespace.

Type in the following (or copy and paste if you prefer) into the Query box:

SELECT * FROM Win32_ComputerSystem WHERE Name = '<computername>'

Change <computername> to the name of your the server you want the GPO to act upon.

4) Click OK a few times.

Now you need to apply this filter to the GPO created above:

1) In the GPMC right-click on the GPO and choose Edit.
2) Right-click on the GPO name at the top of the MMC left-hand column and choose Properties
3) Click on the WMI Filter tab and then click on This Filter and then on Browse / Manage
4) Choose the WMI Filter you created above and then click OK a few times.

I also found that I needed to set the GPO to be Enforced (right-click on it in the GPMC and check Enforced) and to run a GPUPDATE /force on the server. This also required a reboot of the server.

Trust this is of some help to someone.

Posted Feb 17 2007, 05:48 PM by Ian Watkins
Filed under:

Comments

Tim Long wrote re: Enabling Log on as a Service for a local user
on Sat, Feb 17 2007 10:37 PM

I think group policy is under-utilised in the SME space, perhaps not least because the SBS team themselves seem to have an aversion to it.

Just curious, what led you to choose a WMI filter over permissions?

Ian Watkins wrote re: Enabling Log on as a Service for a local user
on Sun, Feb 18 2007 2:17 PM

Because it seemed easier to write a WMI Filter than faff about with Permissions :-)

I think it's also easier to document and reproduce.

Jonathan Williams wrote re: Enabling Log on as a Service for a local user
on Mon, Oct 29 2007 1:47 PM

Can you help me to log on to my computer as a local user? Our It lot insist that they can't enable this - some b.s to do with Vista - but I desperately need to control this machine at local level. I have the requisite security clearance to log in as an administrator on the network...but not on the local machine!!

Bob Patel wrote re: Enabling Log on as a Service for a local user
on Tue, Oct 7 2008 8:16 PM

Ian,  Thanks for writing this. Got me past the "greyed out button" problem. I did not have to go the WMI route since I only needed to add the particular user account to the "log on as service" item and then push the GPO out.  Much appreciated!

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

(c)David Overton 2006-8