assign local access rights via gpo??

[KingE]

I have several legacy application of which I just can't get rid of and so need to find away to give AD domain users the local power user access without going to each machine. I have been told you can control security with GPO's and was wondering if I can assign users the access of local power user and how do I do it?

KingE

MCP, MCSE-NT4.0

 

[xmsre]

One part is user rights, which you can certainly apply via GPO. The other is file system permissions. You'll net to get very specific about what these programs require.

 

[KingE]

I am not going to give access to every file that is needed because this would be very cumbersome. The program runs fine via a domain user with local power user access. I want to grant this access to all OU users so that I don't have to do it manually on all machine affected by this OU. My domain GPO's lock down the workstation to counter balance the access.

Most legacy applications would either write to or require modify rights to individual files contained within the windows and systems32 directory which a domain user does not have access to. Some of these files are shared windows files.

How can I supply local user rights via GPO, this is for local access only.

KingE

MCP, MCSE-NT4.0

 

[markdmac]

You really can't do it with a GPO directly.

What you can do is create your own security template, create a security database off of that template and then use a VBS script in a GPO to force the import and application of that database.

You can access the templates and create a database in the MMC Security snap-ins (there are only 2 in the default list).

You will then want to script running SECEDIT to import the data.

secedit /configure /db FileName [/cfg FileName ] [/overwrite][/areas area1 area2...] [/log FileName] [/quiet]

Parameters
/db FileName
Required. Provides the file name of a database that contains the security template that should be applied.
/cfg FileName
Specifies the file name of the security template that will be imported into the database and applied to the system. This command-line option is only valid when used with the /db parameter. If this is not specified, the template that is already stored in the database is applied.
/overwrite
Specifies whether the security template in the /cfg parameter should overwrite any template or composite template that is stored in the database instead of appending the results to the stored template. This command-line option is only valid when the /cfg parameter is also used. If this is not specified, the template in the /cfg parameter is appended to the stored template.
/areas area1 area2...
Specifies the security areas to be applied to the system. If an area is not specified, all areas are applied to the system. Each area should be separated by a space. Area name Description
SECURITYPOLICYLocal policy and domain policy for the system, including account policies, audit policies, and so on.
GROUP_MGMT Restricted group settings for any groups specified in the security template
USER_RIGHTS User logon rights and granting of privileges
REGKEYS Security on local registry keys
FILESTORE Security on local file storage
SERVICES Security for all defined services

/log FileName
Specifies the file name of the log file for the process. If it is not specified, the default path is used.
/quiet
Suppresses screen and log output.