Link to home
Start Free TrialLog in
Avatar of snoopaloop
snoopaloopFlag for United States of America

asked on

Group Policy Objects: Default Domain GPO and Default Domain Controller GPO

http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci960369_mem1,00.html
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci959361_mem1,00.html

I read up on improving the two GPOs due to RIM (Blackberry) requesting that I establish the BES account as a service and allow log on locally for the BES account too.  They mention not to have the BES account as a Domain Admin but I digress.  Anyway, I was about to place at the "Default Domain Policy" as the guy was encouraging me to do so then I thought wtf I'm doing.  So I have a time out of sorts to research where do I place the GPO and who should it apply to.  Also, what accounts should be included.  Anyway, I just opened pandora's so all this is a bit too overwhelming and I would appreciate some baby steps in resolving this issue of what exactly goes into the "log on as a service" and "log on locally" and where should it be applied?  I guess I'm worried of breaking something if the accounts are applied and the servers require some other account. Attached are some pics as I am very much a visual person.
EE1.jpg
EE2.jpg
ASKER CERTIFIED SOLUTION
Avatar of thiagotietze
thiagotietze

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of snoopaloop

ASKER

A service Accounts OU sounds appealing.  Though, I'm still struggling w the whole concept..  Blackberry references http://www.blackberry.com/btsc/documentLink.do?externalID=KB02276 to login Besadmin locally.  Why would you do that?  Shouldn't service accounts be strictly service?  I also viewed various networks to see who is exactly provided login locally through GPO.   I viewed a very small business practice w/ built accounts set to log on locally while an enterprise setup has a hybrid situation of domain and builtin accounts that appear to for the most part all service accounts.  I guess I'm really struggling who qualifies to be added to log locally?  I will read your article again and any resource material I have laying around. As of right now,with what I referenced, it just doesn't make any sense
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks!  I just applied the settings log on locally and log on as a service on the BES member server itself.  I will start re-evaluating though how we apply these GPO in the future.
nope