Unable to Change Security Settings / Log on as Batch Service on Server Core
Question
-
I have a Windows Server Core 2019 VM. I need to change the security settings on it--more specifically, I need to change the settings to log on as a batch job.
On GUI systems, it's easy: you run gpedit.msc and expand down until you get to the setting:
Of course Server Core doesn't have the MMC so this needs to be done remotely. On another Windows 2019 server with a GUI, I open the mmc. I add the snap-in "Group Policy Object Editor". I then specify the remote Server Core VM. However, the necessary security settings are not there--in particular, the User Rights Assignment node is gone.
How do you change the settings under User Rights Assignment on a Core server?
Answers
-
Hello,
Thank you for posting in our TechNet forum.
According to your description and screenshots, you could go to Computer Configuration -> Windows Settings -> Security Settings -> User Rights Assignment ->Log on as a batch job on GUI. But the User Right Assignment node is gone when you remotely connect to Server core with another Window Server 2019.
We did a test in our lab. When on a Windows 2016 server with a GUI, I open the mmc and add the snap-in "Group Policy Object Editor" and connect to another machine. Then I encounter the same situation as you mentioned.
So I think we cannot change Security Settings / Log on as Batch Service on Server Core through such method.
But through my search, research and test, to configure Log on as a batch job policy on a server core machine, we can try the following steps:
Step1. We can first configure the Log on as a batch job policy on a Windows Server 2019 with GUI.
1.Open MMC.exe and add Security Templates, click OK.
2.New Template and type the template name.
3.Navigate to Computer Configuration-->Policies-->Windows Settings-->Security Settings-->Local Policies-->User Rights Assignment-->log on as a batch job, then add the original default three groups (Administrators, Backup Operators and Performance Log Users) and the users or groups we want.
Step2. Export the configured policy to a .inf file on the Windows Server 2019 with GUI. Right click the template name and select “Save as”.
We can change the default path (C:\Users\Administrator\Documents\Security\Templates) to C: drive as below.
Step3. Copy this inf file to Windows Server core 2019 on Windows server 2019 with GUI.
Run the command on Windows server 2019 with GUI: copy C:\NewTem.inf \\ServerCoreMachineName\C$\NewTem.inf
For example:
Step4. And then use the “secedit” tool to import the group policy settings on the Windows Server Core 2019.
Run the command on Windows server core 2019: Secedit /configure /db C:\NewTem.sdb /cfg C:\NewTem.inf
Step5. Check if we configure the policy successfully on Windows server core 2019.
Tip: I think our two windows server 2019 are in the domain, we can also configure the policy through the domain GPO and apply the GPO to the Windows server core 2019.
Reference:
secedit:export
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit-export
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Marked as answer by Mike_Business Monday, January 13, 2020 7:47 PM
All replies
-
Hello,
Thank you for posting in our TechNet forum.
According to your description and screenshots, you could go to Computer Configuration -> Windows Settings -> Security Settings -> User Rights Assignment ->Log on as a batch job on GUI. But the User Right Assignment node is gone when you remotely connect to Server core with another Window Server 2019.
We did a test in our lab. When on a Windows 2016 server with a GUI, I open the mmc and add the snap-in "Group Policy Object Editor" and connect to another machine. Then I encounter the same situation as you mentioned.
So I think we cannot change Security Settings / Log on as Batch Service on Server Core through such method.
But through my search, research and test, to configure Log on as a batch job policy on a server core machine, we can try the following steps:
Step1. We can first configure the Log on as a batch job policy on a Windows Server 2019 with GUI.
1.Open MMC.exe and add Security Templates, click OK.
2.New Template and type the template name.
3.Navigate to Computer Configuration-->Policies-->Windows Settings-->Security Settings-->Local Policies-->User Rights Assignment-->log on as a batch job, then add the original default three groups (Administrators, Backup Operators and Performance Log Users) and the users or groups we want.
Step2. Export the configured policy to a .inf file on the Windows Server 2019 with GUI. Right click the template name and select “Save as”.
We can change the default path (C:\Users\Administrator\Documents\Security\Templates) to C: drive as below.
Step3. Copy this inf file to Windows Server core 2019 on Windows server 2019 with GUI.
Run the command on Windows server 2019 with GUI: copy C:\NewTem.inf \\ServerCoreMachineName\C$\NewTem.inf
For example:
Step4. And then use the “secedit” tool to import the group policy settings on the Windows Server Core 2019.
Run the command on Windows server core 2019: Secedit /configure /db C:\NewTem.sdb /cfg C:\NewTem.inf
Step5. Check if we configure the policy successfully on Windows server core 2019.
Tip: I think our two windows server 2019 are in the domain, we can also configure the policy through the domain GPO and apply the GPO to the Windows server core 2019.
Reference:
secedit:export
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit-export
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Marked as answer by Mike_Business Monday, January 13, 2020 7:47 PM
