Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Group Policy Objects: Default Domain GPO and Default Domain Controller GPO

Posted on 2010-09-23
Medium Priority
Last Modified: 2013-11-25

I read up on improving the two GPOs due to RIM (Blackberry) requesting that I establish the BES account as a service and allow log on locally for the BES account too.  They mention not to have the BES account as a Domain Admin but I digress.  Anyway, I was about to place at the "Default Domain Policy" as the guy was encouraging me to do so then I thought wtf I'm doing.  So I have a time out of sorts to research where do I place the GPO and who should it apply to.  Also, what accounts should be included.  Anyway, I just opened pandora's so all this is a bit too overwhelming and I would appreciate some baby steps in resolving this issue of what exactly goes into the "log on as a service" and "log on locally" and where should it be applied?  I guess I'm worried of breaking something if the accounts are applied and the servers require some other account. Attached are some pics as I am very much a visual person.
Question by:snoopaloop
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

thiagotietze earned 668 total points
ID: 33748650
What are the main requirements for the BES service account? I think it just needs to be an local administrator for the BES server.

In my point of view, it is very better for you to create a new OU, called "Service Accounts" for example, and give them the necessary rights (logon as service and logon locally) in a new brand GPO.
You can use this OU to store service accounts (like Backup service accounts, os something like that, for example...), and keeps your AD clean.
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1332 total points
ID: 33748653
I wrote an article that could give you a bit of information on this. Here: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3360-Understanding-User-Rights-Assignment-How-to-lock-down-or-unlock-your-user%27s-actions.html

Basically, the account that you are going to be using to administer the BES software with is the one that needs the Log on Locally right. The account that you use to run the services with will need the Log on as a service right. However you choose to handle it, I would recommend *against* making changes to the Default Domain Controllers and Default Domain policies. Create a new GPO and set the user rights configuration in it, then link it to the Domain Controllers OU.

Going a little more in depth, any time you configure a User Rights assignment in a GPO, especially the Log on as XXX rights, you should link that GPO to the Domain Controllers OU. Also, if you plan to log on to the BES server through Remote Desktop, you'll want to add the Log on through terminal services right for the besadmin account.

Author Comment

ID: 33774948
A service Accounts OU sounds appealing.  Though, I'm still struggling w the whole concept..  Blackberry references http://www.blackberry.com/btsc/documentLink.do?externalID=KB02276 to login Besadmin locally.  Why would you do that?  Shouldn't service accounts be strictly service?  I also viewed various networks to see who is exactly provided login locally through GPO.   I viewed a very small business practice w/ built accounts set to log on locally while an enterprise setup has a hybrid situation of domain and builtin accounts that appear to for the most part all service accounts.  I guess I'm really struggling who qualifies to be added to log locally?  I will read your article again and any resource material I have laying around. As of right now,with what I referenced, it just doesn't make any sense
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1332 total points
ID: 33775549
BES recommends giving it the Log on Locally right because they want you to be able to log in to the server with that account for administrative purposes. It isn't 100% necessary, but it's very handy to have that ability. Adding the Besadmin account to the Local Administrators group will actually cause the account to gain that right automatically, because the Local Admin group has the right to log in locally assigned to it already. Since it sounds like the account is going to be performing double duty, that is, logging on as a service and as an administrative account, You'll want to set it up so it has to Log on as a service right as well as adding it to the local administrator's group. The reason for adding it as a local administrator is primarily so the services have the file access they need to operate properly.

Author Comment

ID: 33784779
Thanks!  I just applied the settings log on locally and log on as a service on the BES member server itself.  I will start re-evaluating though how we apply these GPO in the future.

Author Closing Comment

ID: 33784894

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Introduction to Processes

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question