Group Policy Objects: Default Domain GPO and Default Domain Controller GPO

Posted on 2010-09-23
Last Modified: 2013-11-25,289483,sid68_gci960369_mem1,00.html,289483,sid1_gci959361_mem1,00.html

I read up on improving the two GPOs due to RIM (Blackberry) requesting that I establish the BES account as a service and allow log on locally for the BES account too.  They mention not to have the BES account as a Domain Admin but I digress.  Anyway, I was about to place at the "Default Domain Policy" as the guy was encouraging me to do so then I thought wtf I'm doing.  So I have a time out of sorts to research where do I place the GPO and who should it apply to.  Also, what accounts should be included.  Anyway, I just opened pandora's so all this is a bit too overwhelming and I would appreciate some baby steps in resolving this issue of what exactly goes into the "log on as a service" and "log on locally" and where should it be applied?  I guess I'm worried of breaking something if the accounts are applied and the servers require some other account. Attached are some pics as I am very much a visual person.
Question by:snoopaloop
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

thiagotietze earned 167 total points
ID: 33748650
What are the main requirements for the BES service account? I think it just needs to be an local administrator for the BES server.

In my point of view, it is very better for you to create a new OU, called "Service Accounts" for example, and give them the necessary rights (logon as service and logon locally) in a new brand GPO.
You can use this OU to store service accounts (like Backup service accounts, os something like that, for example...), and keeps your AD clean.
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33748653
I wrote an article that could give you a bit of information on this. Here:

Basically, the account that you are going to be using to administer the BES software with is the one that needs the Log on Locally right. The account that you use to run the services with will need the Log on as a service right. However you choose to handle it, I would recommend *against* making changes to the Default Domain Controllers and Default Domain policies. Create a new GPO and set the user rights configuration in it, then link it to the Domain Controllers OU.

Going a little more in depth, any time you configure a User Rights assignment in a GPO, especially the Log on as XXX rights, you should link that GPO to the Domain Controllers OU. Also, if you plan to log on to the BES server through Remote Desktop, you'll want to add the Log on through terminal services right for the besadmin account.

Author Comment

ID: 33774948
A service Accounts OU sounds appealing.  Though, I'm still struggling w the whole concept..  Blackberry references to login Besadmin locally.  Why would you do that?  Shouldn't service accounts be strictly service?  I also viewed various networks to see who is exactly provided login locally through GPO.   I viewed a very small business practice w/ built accounts set to log on locally while an enterprise setup has a hybrid situation of domain and builtin accounts that appear to for the most part all service accounts.  I guess I'm really struggling who qualifies to be added to log locally?  I will read your article again and any resource material I have laying around. As of right now,with what I referenced, it just doesn't make any sense
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33775549
BES recommends giving it the Log on Locally right because they want you to be able to log in to the server with that account for administrative purposes. It isn't 100% necessary, but it's very handy to have that ability. Adding the Besadmin account to the Local Administrators group will actually cause the account to gain that right automatically, because the Local Admin group has the right to log in locally assigned to it already. Since it sounds like the account is going to be performing double duty, that is, logging on as a service and as an administrative account, You'll want to set it up so it has to Log on as a service right as well as adding it to the local administrator's group. The reason for adding it as a local administrator is primarily so the services have the file access they need to operate properly.

Author Comment

ID: 33784779
Thanks!  I just applied the settings log on locally and log on as a service on the BES member server itself.  I will start re-evaluating though how we apply these GPO in the future.

Author Closing Comment

ID: 33784894

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question