• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 578
  • Last Modified:

Group Policy permissions for Windows System Services

I am trying to use an Active Directory GPO to restrict the ability for users to stop a Windows System service.   The Windows service currently runs under the LOCAL SYSTEM account. In the GPO setting for the service under the Security configuration I have allowed the SYSTEM builtin group account Full permissions and INTERACTIVE builtin group account Read permissions.  The service is set to "Automatic" startup.  However, now the service no longer starts on the users' computers and if they try to start the service they receive an "Access Denied" error message, which is expected since I've removed their ability to start or stop the service themselves.  However, I still need the service to start automatically under the Local System account.   What permissions am I missing from the GPO?
0
AManoux
Asked:
AManoux
  • 2
1 Solution
 
AwinishCommented:
System,administrator,network services,interactive should have full acces.
Everyone read.
0
 
AManouxAuthor Commented:
Thanks.  Looks like all permissions you listed were correct except Interactive.  If you set it to Full Access then the logged in user has permissions to stop the service.  Changed Interactive to just have Read permissions.
0
 
AManouxAuthor Commented:
Answer partially correct.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now