I came across a situation on our network where we needed to give a local user the right to "Log on as a Service" on one of our servers. This was to support a LOB application that we run on a server here in our office. The problem I had was that for both the "Log on as a service" and the "Log on as a Batch job" the "Add User or Group" button was greyed out. This is because our SBS 2003 box has a Domain Group Policy which sets the rights to these services at a Domain level and stops any changes being made elsewhere.

To get around this I did the following:

1) Logon to the server in question as Domain Administrator. Open up the Active Directory Users & Computers (ADUC) snap-in.
2) Right click on the Domain and choose Properties. Click on the Group Policy tab and open the group policies. You have to do this unless you install the GPMC on the server.
3) Create a new Group Policy and name it something appropriate.
4) Navigate to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
5) Double click on the item you want to alter and click on Add User or Group.
6) Click on Browse and change the From this Location to the local machine (if you don't do this you only see domain users)
7) Enter the username (or click the Advance button - I'm not going into how to use that here)
8) Click OK a few times until you see the local username in the Properties box.

Now you need to set this GPO so that it only applies to the machine in question. You can do this through permissions, but I decided to do it via a WMI Filter.

1) On your DC with the GPMC installed right-click on the WMI Filter item and choose New.
2) Give it a meaningful name and description and click on Add.
3) You don't need to change the namespace.

Type in the following (or copy and paste if you prefer) into the Query box:

SELECT * FROM Win32_ComputerSystem WHERE Name = '<computername>'

Change <computername> to the name of your the server you want the GPO to act upon.

4) Click OK a few times.

Now you need to apply this filter to the GPO created above:

1) In the GPMC right-click on the GPO and choose Edit.
2) Right-click on the GPO name at the top of the MMC left-hand column and choose Properties
3) Click on the WMI Filter tab and then click on This Filter and then on Browse / Manage
4) Choose the WMI Filter you created above and then click OK a few times.

I also found that I needed to set the GPO to be Enforced (right-click on it in the GPMC and check Enforced) and to run a GPUPDATE /force on the server. This also required a reboot of the server.

Trust this is of some help to someone.