Log on as Batch on Domain Controllers via Policy

Today I ran into an interesting problem regarding Windows 2008 and the long running “Time Sync” issue due to running multiple domain controllers on Virtual machines. (As far as I can tell this slowly de-syncs the clocks somehow between the host and client machine even if you disable the Time Sync in Hyper-V and also disable the service on the machines themselves).

Running on this experiance I began to implement Neutron 1.07 (visit http://www.keir.net for this and many other tools) to simply brute-force the time into submission every hour.

However, turns out Domain Controllers did not pick up on the usual policies which allowed my account to login as batchjob. After some searching and GPO Modeling I discovered that despite using even the “Enforce” option it would not load the settings from the alternate policy, the Default Domain Controller Policy simply kept over-writing the results.

Awnser ofcourse was to simply mod this as well. Quick fix but hardly documented so worth sharing.

Leave a Reply

Your email address will not be published.