Can't enable debug privileges for a user account


  • We are following the instructions found here:
    in an attempt to give debug privileges to a user in one of our Windows Server 2003 sp2 boxes.

    When we open the properties of the 'Debug Programs' policy in the server's Local Security Settings, the 'Add User or Group' button and 'Remove' buttons are greyed out.  Somehow three users are currently listed, but we can't add more.

    Our theory is that these priviliges are being populated by Active Directory (a different 2003 sp2 server on our network), but we're not sure how.
    We see a Group called "Debugger Privileges" in our Active Directory server, and added the user there, but it doesn't appear to be propogating to the other servers on the domain.

    Can anyone help?
    Let me know if you need more information.


    Thursday, December 31, 2009 9:05 PM


  • Hello Pug2694328,

    To set the "Debug Programs" policy in other member servers in your domain, you need to assign a domain group policy to these servers. You can follow the steps below:

    1. In Active Directory Users and Computers, right-click the target server's container (OU) to which you want to link the GPO, click Properties, and then click the Group Policy tab.
    2. Create a new GPO for giving debug privileges on servers, and then give the new GPO a descriptive name.
    3. While the new GPO is selected, click Edit. This starts the Group Policy Object Editor.
    4. Open and then right-click Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | Debug Program in the GPO, and then click Add new user or group button.
    5. Click the Advanced button.
    6. Click the find now button.
    7. Select your user logon name and then click the ok button.
    8. Click the ok button 2 more times.
    9. Run "gpupdate /force" on the target servers.
    10. Run "rosp.msc" to verify whether the "Debug Programs" group policy has been applied.

    If you want to configure this policy for DCs, you need to modify the above policy in ADUC's default domain controller policy.

    More information at:

    Best regards,
    Wilson Jia

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Wednesday, January 06, 2010 1:58 AM
    Monday, January 04, 2010 9:40 AM