none
granting 'log on as a batch job' right to local group

    Question

  • i'm using GPP to push a local group to some servers.

    I want to use group policy to grant the "log on as a batch job" to that local group.

    but I do not want to make any changes to the users and groups that already have that permission. by default it's Administrators and Backup Operators, but some of my servers may already have other users and groups configured. I just want to *add* this new group to the existing list of users and groups who have this right, on each server that gets the policy.

    but it appears that if I grant this right with domain group policy, *only* the users and groups I set in the domain group policy will get the right, and anything that's already configured in the local group policy on each server will get blown away. is that accurate? any way around this?


    • Edited by John_Curtiss Thursday, February 26, 2015 9:39 PM
    Thursday, February 26, 2015 9:38 PM

All replies

  • > but it appears that if I grant this right with domain group policy,
    > *only* the users and groups I set in the domain group policy will get
    > the right, and anything that's already configured in the local group
     
    Yes, this privilege (and all others) are not additive - last writer
    wins. Add your local group to your domain GPO and you'll be fine. Do NOT
    use the object picker, simply enter the name in the box.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 27, 2015 11:05 AM
  • Martin,

    i'm a little confused how "last writer wins" and "add your local group to your domain gpo and you'll be fine" can both be true at the same time...

    if serverX currently has a local GPO that grants UserX and GroupY the "log on as a batch" right, and I configure domain GPO Z to grant that right to GroupZ, UserX and GroupY are going to lose that right, in which case I will not be fine. correct?

    Saturday, February 28, 2015 2:45 AM
  • > if serverX currently has a local GPO that grants UserX and GroupY the
    > "log on as a batch" right, and I configure domain GPO Z to grant that
    > right to GroupZ, UserX and GroupY are going to lose that right, in which
    > case I will not be fine. correct?
     
    Yes. Add UserX and GroupY to your domain GPO.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, March 02, 2015 10:31 AM
  • My point is it's possible that each of servers x, y, and z currently has a unique set of users and groups in its local group policy. Using a single domain gpo will break that. Is there a way (powershell?) to scan each server's local gpo for this setting?
    Monday, March 02, 2015 3:05 PM