Good day,
I have a Windows Server 2008 Standard Service Pack 2.
I want to create a user that will have the minimum rights and will only be able to login in the server and shut it down in case of a power failure, so that it will not continue running on the UPS power.
I searched through the default list of groups to choose which one to make him a member of, but none of them seem to have limited enough rights. Even backup operators can run some applications in the server control panel, accessories, as well as view the Hard disk & partitions, which is something I do not want.
So how do I edit the rights of that specific user?
I searched though here:
Start:
gpedit.msc
Local Group Policy Editor
User Configuration
Administrative templates
System
User Profiles
But I did not find where I could edit that specific user's rights.
Please any help will be highly appreciated.
Thanks in advance
win server 2008 user policies rights...
win server 2008 user policies rights...
Saint Dragon - AMIGA - Jaleco 1989
"In the first battle against the Guardian's weapons, created with Vasteel Technology, humanity suffered a crushing defeat."
Thunder Force V
"In the first battle against the Guardian's weapons, created with Vasteel Technology, humanity suffered a crushing defeat."
Thunder Force V
Re: win server 2008 user policies rights...
This is going to be a domain user right? Leave him a member of that group and manually edit his permissions. You can do that on the security tab under his properties in AD. If the tab isn't visible you'll want to select advanced features from under the view menu. Depending on how thorough you want to be in assigning permissions you may need to then go into the advanced permission options.
You can also assign additional permissions locally on the server by looking under user rights assignment in secpol.msc. I believe he'll need to be added to "Shut down the system" as Domain Users shouldn't have rights to do so.
Full disclosure: I don't generally admin Windows servers but i work with them regularly. Take what I say with a reasonable grain of salt.
You can also assign additional permissions locally on the server by looking under user rights assignment in secpol.msc. I believe he'll need to be added to "Shut down the system" as Domain Users shouldn't have rights to do so.
Full disclosure: I don't generally admin Windows servers but i work with them regularly. Take what I say with a reasonable grain of salt.
Look at our friendly members:
MX7 wrote:I'm not a fan of a racist, gun nut brony puking his odious and uninformed arguments over every thread that comes up.
Drum wrote:He's also a pederast. Presumably.
Re: win server 2008 user policies rights...
Yes this is going to be a domain user indeed.
Thank you so much for telling me about the advanced features from under the view menu, as I could not find the Security tag until now!
OK, so.
I typed secpol.msc in Start -> Local Security Policies -> Local Policies -> User Rights Assignment
But when I try to add the user in the "shut down the system", the "Add User or Group" & "Remove"buttons are grayed out.
In fact they're disabled in most of the available rights of the list!
Something like this:
Here it gives a solution:
http://www.chicagotech.net/Security/gpgrayedout.htm
http://www.chicagotech.net/netforums/vi ... f=4&t=6205
"Cause: the domain group policy or other policy override the local policy.
Resolution: Modify the domain policy or the policy which overrides the local policy."
"You need to either set the domain policy to "not configured" to change the "allow log on locally" on the machines or you just change the domain policy in question."
But I have not been able to find and do this so far.
How and where do I do this exactly, as I might need in the future to add other users in the rights...
Please do excuse my ignorance in this specific matter...
Thanks in advance.
Thank you so much for telling me about the advanced features from under the view menu, as I could not find the Security tag until now!
OK, so.
I typed secpol.msc in Start -> Local Security Policies -> Local Policies -> User Rights Assignment
But when I try to add the user in the "shut down the system", the "Add User or Group" & "Remove"buttons are grayed out.
In fact they're disabled in most of the available rights of the list!
Something like this:
Here it gives a solution:
http://www.chicagotech.net/Security/gpgrayedout.htm
http://www.chicagotech.net/netforums/vi ... f=4&t=6205
"Cause: the domain group policy or other policy override the local policy.
Resolution: Modify the domain policy or the policy which overrides the local policy."
"You need to either set the domain policy to "not configured" to change the "allow log on locally" on the machines or you just change the domain policy in question."
But I have not been able to find and do this so far.
How and where do I do this exactly, as I might need in the future to add other users in the rights...
Please do excuse my ignorance in this specific matter...
Thanks in advance.
Saint Dragon - AMIGA - Jaleco 1989
"In the first battle against the Guardian's weapons, created with Vasteel Technology, humanity suffered a crushing defeat."
Thunder Force V
"In the first battle against the Guardian's weapons, created with Vasteel Technology, humanity suffered a crushing defeat."
Thunder Force V
Re: win server 2008 user policies rights...
Yeah, they're locked out by the GPO. You'll need to make the changes with the Group Policy Management Console under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Try checking out this document: http://technet.microsoft.com/en-us/libr ... 10%29.aspx
Try checking out this document: http://technet.microsoft.com/en-us/libr ... 10%29.aspx
Look at our friendly members:
MX7 wrote:I'm not a fan of a racist, gun nut brony puking his odious and uninformed arguments over every thread that comes up.
Drum wrote:He's also a pederast. Presumably.
Re: win server 2008 user policies rights...
I run the Group Policy Management Console from Start -> Administrative tools -> Group Policy Management
As well as running "gpmc.msc" in Run,
but this path: "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"
Does not exist there!
Local group Policy Editor (gpedit.msc)
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"
And in:
Local Security Policy (secpol.msc)
Security Settings\Local Policies\User Rights Assignment
But in both the "Add User Group" & "Remove" are grayed out / disabled.
I have to note that I am logged into the Server as an Administrator.
So either that document is wrong, or I'm doing something totally wrong.
As well as running "gpmc.msc" in Run,
but this path: "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"
Does not exist there!
Local group Policy Editor (gpedit.msc)
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"
And in:
Local Security Policy (secpol.msc)
Security Settings\Local Policies\User Rights Assignment
But in both the "Add User Group" & "Remove" are grayed out / disabled.
I have to note that I am logged into the Server as an Administrator.
So either that document is wrong, or I'm doing something totally wrong.
Saint Dragon - AMIGA - Jaleco 1989
"In the first battle against the Guardian's weapons, created with Vasteel Technology, humanity suffered a crushing defeat."
Thunder Force V
"In the first battle against the Guardian's weapons, created with Vasteel Technology, humanity suffered a crushing defeat."
Thunder Force V
Re: win server 2008 user policies rights...
Yeah I don't know at this point. I'm not very good with GPO. You could try looking for something under the Default Domain Policy or Default Domain Controller Policy. Otherwise it's googling time.
Look at our friendly members:
MX7 wrote:I'm not a fan of a racist, gun nut brony puking his odious and uninformed arguments over every thread that comes up.
Drum wrote:He's also a pederast. Presumably.