none
Merging Local Policy and Group Policy

    Question

  • Hi,

    Today I have come across a requirement where a development team wants to grant LOGON AS A SERVICE right to local user on few servers. At present this policy setting is applied by GPO, which grants permission to list of users accounts.

    The GPO is also applied to many other computers. So modifying this GPO will affect all the clients and servers where it applied.

    I want to just add a local user to the list of users who have logon as a service.

    Can I add another GPO and apply only to specific servers? will it merge OR overwrite the other policy setting?
    Or, Can I add specific user via local policy? Is there any settings to modify in GPO or Local system to achieve this?

    Also let me know how to add a local user account in above policy setting in a GPO?
    just user name?
    e.g: for domain user -  "domain\user "
    for local user - "user"

    Thanks!!

    Wednesday, March 30, 2016 1:01 PM

Answers

  • > You will want to create another GPO applied to just those servers.
    > Ensure that it processes after the original GPO.
     
    ...and it will NOT merge, it will override. To add a local user, simply
    type the username without any domain part.
     
    If you want this setting to be "merge enabled", you can create a local
    group on each computer and grant this group. Then simply add members as
    required :)
     
    • Marked as answer by subhashm Thursday, March 31, 2016 12:23 PM
    Wednesday, March 30, 2016 4:18 PM

All replies

  • You will want to create another GPO applied to just those servers. Ensure that it processes after the original GPO.

    If my answer helped you, check out my blog: Deploy Happiness

    Wednesday, March 30, 2016 1:44 PM
  • > You will want to create another GPO applied to just those servers.
    > Ensure that it processes after the original GPO.
     
    ...and it will NOT merge, it will override. To add a local user, simply
    type the username without any domain part.
     
    If you want this setting to be "merge enabled", you can create a local
    group on each computer and grant this group. Then simply add members as
    required :)
     
    • Marked as answer by subhashm Thursday, March 31, 2016 12:23 PM
    Wednesday, March 30, 2016 4:18 PM
  • Thanks.

    I tried this, but it replaced the accounts added by the default GPO.

    Is this expected behavior? or I did anything wrong?

    Wednesday, March 30, 2016 4:50 PM
  • Hi,

    The Group Policy processing order is Local Group Policy object -> Site -> Domain -> Organizational units. If the Group Policies are not conflicting, they will be merged. If the Group Policies are conflicting, the precedence is Organizational units > Domain > Site > Local Group Policy object. If multiple GPOs are applied to the same OU they will be applied in the order they are listed in the GPMC, with the latter winning out. You should use the RSOP console if you are having conflicting GPO issues.

    For more information, please refer to the following Microsoft TechNet article:

    Group Policy processing and precedence

    http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 31, 2016 2:55 AM
    Moderator
  • Subhashm, yes that is exactly the expected behavior.  As far as I have been able to determine, this setting in a GPO is only able to REPLACE.

    Alvin,  how is this an answer?  If you read the question, you can see that he wants to MERGE his new GPO, either with an earlier-processed GPO, or with whatever the local setting already is--the order of processing in either case is completely immaterial!

    I am clarifying this, because I have the exact same need.  Martin's post gave somewhat of a workaround--and is frankly the best option I have read yet.  I wasn't sure if the "Log on as a service" setting would behave appropriately with a "group", but if that works, it may very well provide me with at least some semblance of a solution.

    Thursday, March 31, 2016 6:57 PM
  • Hi,

    Thanks for your clarification and sorry for my misunderstanding. I will unmark my reply as answer.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 1, 2016 1:40 AM
    Moderator