User Rights Assignment Security Setting

[johne417]

I went into Administrative Tools -> Local Security Policy and changed one (Shut down the system) to be only one user allowed to shut down our server (myself). I now need to go back in and add another user to have this access. However, the Add User or Group and Remove buttons are disabled. I can't access this feature at all. Logged in as myself (a domain admin) or even the local Administrator account on the box doesn't matter.

On a Windows 2000 box I did the same thing and I can go back in and adjust the settings fine.

Does 2003 have something where if you set the properties on a User Rights and Assignment, you have to do something special to change it again in the future?

Thanks in advance for any help.

 

[techsupportgirl]

John,

You should be setting security policies on a domain controller through either

Start>Program Files>Administrative Tools>Domain Security Policy or Start>Program Files>Administrative Tools>Domain Controller Security Policy. The former applies to the entire domain, the latter just the domain controller computer itself.

You stated you went to Start>Program Files>Administrative Tools>Local Security Policy. There is no such path on a domain controller, only the two I just mentioned.

If you set any local policy and it is now greyed out you most likely did it through Group Policy Editor or gpedit.msc which isn't going to help you.

Go back into gpedit.msc by typing that into the run box and take out whomever you put under "Shut down system". The default people who are allowed in the local policy are:

Administrators
Server Operators
Backup Operators
Print Operators

On the paths I listed above (the domain security policies), there are no users or groups defined by default.

You can sit there setting people in the group policy all the live long day and it will not work because they are going to get their rights from the domain's security policy first.

If you didn't do it in gpedit.msc but through the path I listed above (and you just typed the wrong thing in your post) and it's still greyed out, my question to you is, did you reboot the domain controller?

Even though Domain Controllers refresh their security policies every 5 minutes and you are not prompted to reboot the controller after making a change, I would anyway just to be sure.

Other than what I mentioned, I don't know of any other reason why it would be greyed out. In every case of "greying out", people set the policy in the wrong place.

Hope this is the solution.

 

[johne417]

techsupportgirl,

I found my problem. You were correct in assuming that I had set the policy in the wrong place. Actually, multiple places. In addition to setting the rule in the Local Security Settings of each server, I had also logged into one of our Domain Servers and set a Domain Security Policy rule there, which overran all the Local Security Settings rules...Removed the Domain Security Policy, logged back into the other servers, and the Local Security Policy were visible again. Im such a dumbbutt sometimes.

 

[techsupportgirl]

You are NOT dumb, John. Everyone is entitled to make a mistake. Heck, I make em daily. You did the right thing by asking for help and see, you figured out. Way to go!