Configuring User Rights Assignment policies via GPO

jshizzle

1/14/23, 1:47 PM

I'm configuring a GPO to add a local group to a user right policy, however, when configuring through GPO, all existing members of the right are removed on GPO application. You can obviously add all the users to the GPO to make sure these are retained but when the user is only local to the remote server e.g. NT SERVICE\SQLSERVERAGENT, this can't be added to the GPO from the DC which simply doesn't recognise it.

Am I right in assuming it's a case of using GPO when the user right should only contain domain accounts/groups, built-in users/groups but if additional user types need to be added then manual addition should be used instead?

Shame if it's the latter. Could do with being able to configure this via GPP like you can with local users/groups and having the option to retain the existing members which would address this initial observation

Cheers Jamie

205

0 + 0

group-policy

Score:3

Server

yagmoth555

1/14/23, 2:00 PM

In such specific case, please open the group policy's console from the SQL server itselft, you will need to install the RSAT tool. The options are different as it will detect your local user from it, and will allows you to select it when you edit the GPO.

Be adviced the GPO will not apply correctly on server where that local user don't exist.

0 + 0

jshizzle

1/14/23, 4:39 PM

I did wonder if this was the way to do it but didn't fancy installing RSAT tools on a server, especially in an environment that has a lot of security tools monitoring changes, just to be able to add the local users. This still doesn't address the unwanted removal of existing users/groups when applying the GPO but guess that's just the way user rights policy configuration works. Definitely something that could do with some improvement in my opinion.

yagmoth555

1/14/23, 5:52 PM

@jshizzle I agree the unwanted removal is a headache, but from another perspective it do make sure that no one played with the local group, thus your GPO got the last word.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Configuring User Rights Assignment policies via GPO

TH: การกำหนดค่านโยบายการกำหนดสิทธิ์ของผู้ใช้ผ่าน GPO

RO: Configurarea politicilor de atribuire a drepturilor utilizatorului prin GPO

RU: Настройка политик назначения прав пользователей через GPO

VI: Định cấu hình chính sách Chuyển nhượng quyền người dùng qua GPO

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.