Background:
My developers complained that they were no longer able to run IIS in their development environments and they very usefully tracked it down to the following issue:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;297519
Looking into it further it would appear that someone/something has altered the default domain group policy to add a single domain admin account to the Logon as a batch job right.
This obviously wiped out the default settings on all the workstations. We've yet to track down why it happened, but have at least identified how to remedy it.
Have tested on a single machine and indeed adding IWAM_MACHINENAME and IUSR_MACHINENAME to the Logon as a batch job right allows the devlopers to continue as previously.
Question:
I have no desire to go around and do this manually on all the machines in the company. Rather I am hoping that I can correct this in the same way it was perpatrated - via a group policy. My problem is, how do I add the accounts and replace the MACHINENAME part with the actual machine name when setting up the policy?
Update:
I've accepted Evan answer below because it does resolve the specific problem I asked about. However I was being a bit of an idiot. Removing the bad policy actually caused all the original assignments to return after a GPUPDATE. I'd forgotten that rather than being wiped, they were overridden. This was the case and made the job a whole lot easier - all fixed!
Ick. Those accounts don't have well-known SIDs.
I'd say that your best bet is to grab the "NTRights.exe" utility (see http://support.microsoft.com/kb/315276) and write a script to run against the affected machines to add the necessary rights.