5

I am not much of a server administrator, but get my feet wet when I have to.

Right now I'm running some COTS software on a Windows 2008 Server machine. The software installer creates a few user accounts for running its processes, and then gives those users the right to "log on as a batch job".

Every so often (e.g. yesterday at 2:52pm and this morning at 7:50am), those rights disappear. The software then stops working. I can verify that the user rights are gone by using

secedit /export /cfg e:\temp\uraExp.inf /areas USER_RIGHTS

and I have a script that does this every 30 seconds and logs the results with a timestamp, so I know when the rights disappear.

What I see from the export is that in the "good" state, i.e. after I install the software and it's working correctly, the line for SeBatchLogonRight from the secedit export includes the user accounts created by the software. But every few hours (sometimes more), those user accounts are removed from that line. The same thing can be seen by using the GUI tool Local Security Policy > Security Settings > Local Policies > User Rights Assignment > Log on as a batch job: in the "good" state, that policy includes the needed user accounts, and in the bad state, the policy does not.

Based on the above-mentioned logging script and the timestamps at which the user rights are being removed, I can see clearly that some GPOs are causing the change. The GPO Operational log shows GPOs being processed at exactly the right times. E.g.:

Starting Registry Extension Processing. 

List of applicable GPOs: (Changes were detected.) 

Local Group Policy

I have run GPOs on demand using gpupdate /force, and was able to verify that this caused the User Rights to be removed.

We have looked over local group policies till our eyes are crossed, trying to figure out which one might be stripping these User Rights to "log on as a batch job." We have not configured any local group policies on this machine, that we know of; so is there a default local group policy that might typically do such a thing? Are there typical domain policies that would do this?

I have been working with our IT staff colleagues to troubleshoot the problem, but none of them are really GPO experts... They wear many hats, and they do what they need to do in order to keep most things running.

Any suggestions would be greatly appreciated!

LarsH
  • 380
  • 3
  • 7
  • 19

1 Answers1

5

The "Resultant Set of Policy" tool will help you out here; it's at the bottom of the left sidebar in Group Policy Management Console.

Point it at the machine, then on the settings tab, you'll find each item set by policies applied to the system, and which GPO that setting came from.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Thanks very much. I'm now looking into this. (I had to add the RSoP snap-in first.) – LarsH Apr 14 '11 at 20:18
  • Aha... it looks like this is coming from the Default Domain Policy, according to RSOP! So the Default Domain Policy has a setting for "Log on as a batch job" which is just "Administrators,DOMAIN\Domain Users", which overrides our local expanded value. This is good progress! Followup question: how can we create an exception for just this server for just that policy ("log on as a batch job")? We don't want to exempt the server from *all* default domain policy settings... – LarsH Apr 14 '11 at 21:07
  • 1
    Create a new GPO that sets the desired value, and link it to an OU that's closer to the computer than the one you want to override. As long as the Default Domain Policy isn't set to "enforce" mode, then more specific link prevails. – Shane Madden Apr 14 '11 at 21:13
  • 1
    It doesn't need to be linked closer to the target it just needs to be at a higher precedence (lower link order) than the Default Domain Policy so that it's applied later than the Default Domain Policy. Both policies can be linked at the domain level. – joeqwerty Apr 15 '11 at 00:12
  • 1
    @joeqwerty Fair enough! I'm having a hard time balancing thorough explanation of GPO inheritance against a need for brevity (which is why I opted not to go into precedence of links on a single object, inheritance blocking, links to sites, or how loopback processing fits in). I appreciate the help in pointing out stuff that's relevant to the question like being able to link this on the domain. – Shane Madden Apr 15 '11 at 01:23
  • 1
    @Shane: Gotcha. Explaining Group Polcy and the processing thereof can get a bit convoluted. – joeqwerty Apr 15 '11 at 01:39
  • @Shane, do you know if the Default Domain Policy setting we have, i.e. "Log on as a batch job" being set to a specific value that overrides any local settings, is typical? The company whose software relies on this value didn't seem to be able to troubleshoot the problem; should they be aware that it's likely to happen often? It took us a long time to troubleshoot and I'd like to be able to think we helped save other users some time and effort. – LarsH Apr 15 '11 at 14:48
  • 1
    It's not typical (or default) to have those settings managed by Group Policy; typically your settings will vary from machine to machine for most of those User Rights Assignment policies (different scheduled tasks, different services, all with different accounts), which doesn't make it a good candidate for blanket policy. One approach worth considering is: for instance, you don't want to let service accounts log in interactively. Have group policy manage just the "Deny" aspect of the right, and deny interactive login to a domain group containing those accounts. – Shane Madden Apr 15 '11 at 14:57
  • 2
    @LarsH: Just to chime in again (not that Shane needs my help), those settings are not typically configured in the Default Domain policy. They are set to "not configured" in a default install of AD, when the default Group Policy objects are created so it's unlikely that the developers have seen your particular problem before and it's not very likely that they'll see it again. – joeqwerty Apr 16 '11 at 13:18