Have you checked your eventvwr logs? Do you have other Domain Controllers (DCs) in this domain? Which one is the Global Catalog (GC) FSMO? Try running
dcdiag.exe
and check the output for problems, especially with the SYSVOL and/or replication with other DCs.
THIS CAN BE DANGEROUS: If this is not the only DC in the directory, and the event logs don't reveal anything, try making a copy of the sysvol\domain\policies and place it elsewhere on the hard drive of the server. Make sure you do this during off hours and make sure you perform a complete AD backup using:
ntbackup.exe backup systemstate /J "pre-delete-ad-backup" /F "c:\adbackups\ForestBackup.bkf" /V:yes /M normal
Copy the ForestBackup.bkf off of the server after the backup is complete.
After you create the backup and copy it elsewhere, delete the sysvol\domain\policies directory. Then force a replication with another DC in the Directory using replmon.exe
Check the FRS eventlog and see if you get messages about a successful sysvol replication. Keep in mind that until Sysvol is restored in complete, your server will not be able act as a DC, so make sure that another DC is available to your clients...
Members of local built-in groups (as well as domain groups) have whatever rights are assigned to the group. The default rights on a server for local built-in groups are set in the local security settings. To access the local security settings, click Start, type secpol.msc and hit enter. In the Local Security Policy editor, expand Local Policies, and click on User Rights Assignment. There you will see what groups/users are granted which rights.
The local User Rights Assignment settings can be overriden by domain group policy. If you create a domain group policy that grants certain groups/users a certain right, such as "Logon as a batch job", this will override the local policy for which users have that right.
From what you have written, here is what I am guessing happened:
You had a GPO in your domain that granted certain users the rights that you mentioned. This policy did not grant these rights to local machine Backup Operators group. This policy overwrote the default policy on the server. Thus, adding the user to the Backup Operators group did not give them those rights because, due to the Domain GPO, the Backup Operators do not have them.
As to whether or not the vendor's solution is a good idea:
I have found that it is usually easier to manage rights by using well-organized groups rather than granting them to individual accounts. This way, when you add a new user, you add the user to the logical groups to which he belongs, and he will immediately have all of the rights he needs rather than having to assign him each right one-by-one. That is what the Built-in groups were intended to do.
Instead of granting those three rights to an individual user, you could have granted the "Backup Operators" group those three rights in the GPO. Then adding the user to that group would have the intended effect.
I am curious why you would have a domain policy managing those rights in the first place. If the purpose was to grant certain users access to perform backup operations, it might have been a better idea to use the domain built-in Backup Operators group.
Best Answer
Security groups are a group of objects in Active Directory, be it computer objects or users or other security groups. They don't do anything but aggregate objects into a single object, as you would expect anything named "Group" to do.
You can then use a Security Group to set file permissions for example, which saves you having to define every single user individually everywhere you want them to have access, but there's a lot of other uses for Security Groups.
Group Policies on the other hand are common settings you want to apply to machines in your environment based upon different factors, for example you might want to apply printer settings for all users in an office.
You can also combine a Group Policy with a Security Group by defining for example that users belonging to
Security_Group_X
should haveGroup_Policy Printer_Settings_Office_X
applied to them.Before you go implementing a lot of either, it's advantages to come up with a naming scheme for them. Some environments like to name all their group policy objects starting with
GPO_
and all their Security Groups withACL_
, others uses#
at the start of Security Group names. It doesn't really matter what you use, as long as there's some sort of system.