Local users and domain policy override

Discussion in 'Active Directory' started by Svante, Dec 21, 2004.

  1. Svante

    Svante Guest

    Hello,

    When installing for example IIS on a server that is a member of a domain, it
    appears there is no way to modify the default installation behavior of
    creating two local users used by IIS - one for the ASP.NET worker process et.
    al. and one for Anonymuous access.

    These users needs some user rights.

    Problem is: Since the server is a domain member, the default domain policy
    is applied and this is locked down to only allow certain groups for instance
    the 'log on locally' right. The local IIS user created now no longer has this
    user right, since the local policy is overriden by the domain policy.

    Just what is the recommended way to handle this situation?

    Yes, it's possible in a roundabout way to actually enter the local account
    in the group policy editor on the domain controller, but that is clumsy and
    obviously not meant to be, since you can't browse the local user/group
    database from the domain controller.

    What I would like to do is to create a global group for the purpose, and
    then have this global group grant one or more machine\local groups membership
    - but this is apparently not possible.

    Another, even less tasty solution, is to change the way IIS runs and let it
    use domain user accounts instead, but there are a whole bunch of caveats down
    that road that I do not want to handle.

    I have searched but not found any conclusive answer on what best practices
    say in this case, but I can't see that this is an unusal situation. If I've
    just missed the obvious, please post a link.

    How is this situation handled in the best way?
     
    Svante, Dec 21, 2004
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.