Solved

Group Policy Objects: Default Domain GPO and Default Domain Controller GPO

Posted on 2010-09-23
6
562 Views
Last Modified: 2013-11-25
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci960369_mem1,00.html
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci959361_mem1,00.html

I read up on improving the two GPOs due to RIM (Blackberry) requesting that I establish the BES account as a service and allow log on locally for the BES account too.  They mention not to have the BES account as a Domain Admin but I digress.  Anyway, I was about to place at the "Default Domain Policy" as the guy was encouraging me to do so then I thought wtf I'm doing.  So I have a time out of sorts to research where do I place the GPO and who should it apply to.  Also, what accounts should be included.  Anyway, I just opened pandora's so all this is a bit too overwhelming and I would appreciate some baby steps in resolving this issue of what exactly goes into the "log on as a service" and "log on locally" and where should it be applied?  I guess I'm worried of breaking something if the accounts are applied and the servers require some other account. Attached are some pics as I am very much a visual person.
EE1.jpg
EE2.jpg
0
Comment
Question by:snoopaloop
  • 3
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
thiagotietze earned 167 total points
ID: 33748650
What are the main requirements for the BES service account? I think it just needs to be an local administrator for the BES server.

In my point of view, it is very better for you to create a new OU, called "Service Accounts" for example, and give them the necessary rights (logon as service and logon locally) in a new brand GPO.
You can use this OU to store service accounts (like Backup service accounts, os something like that, for example...), and keeps your AD clean.
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33748653
I wrote an article that could give you a bit of information on this. Here: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3360-Understanding-User-Rights-Assignment-How-to-lock-down-or-unlock-your-user%27s-actions.html

Basically, the account that you are going to be using to administer the BES software with is the one that needs the Log on Locally right. The account that you use to run the services with will need the Log on as a service right. However you choose to handle it, I would recommend *against* making changes to the Default Domain Controllers and Default Domain policies. Create a new GPO and set the user rights configuration in it, then link it to the Domain Controllers OU.

Going a little more in depth, any time you configure a User Rights assignment in a GPO, especially the Log on as XXX rights, you should link that GPO to the Domain Controllers OU. Also, if you plan to log on to the BES server through Remote Desktop, you'll want to add the Log on through terminal services right for the besadmin account.
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 33774948
A service Accounts OU sounds appealing.  Though, I'm still struggling w the whole concept..  Blackberry references http://www.blackberry.com/btsc/documentLink.do?externalID=KB02276 to login Besadmin locally.  Why would you do that?  Shouldn't service accounts be strictly service?  I also viewed various networks to see who is exactly provided login locally through GPO.   I viewed a very small business practice w/ built accounts set to log on locally while an enterprise setup has a hybrid situation of domain and builtin accounts that appear to for the most part all service accounts.  I guess I'm really struggling who qualifies to be added to log locally?  I will read your article again and any resource material I have laying around. As of right now,with what I referenced, it just doesn't make any sense
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33775549
BES recommends giving it the Log on Locally right because they want you to be able to log in to the server with that account for administrative purposes. It isn't 100% necessary, but it's very handy to have that ability. Adding the Besadmin account to the Local Administrators group will actually cause the account to gain that right automatically, because the Local Admin group has the right to log in locally assigned to it already. Since it sounds like the account is going to be performing double duty, that is, logging on as a service and as an administrative account, You'll want to set it up so it has to Log on as a service right as well as adding it to the local administrator's group. The reason for adding it as a local administrator is primarily so the services have the file access they need to operate properly.
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 33784779
Thanks!  I just applied the settings log on locally and log on as a service on the BES member server itself.  I will start re-evaluating though how we apply these GPO in the future.
0
 
LVL 1

Author Closing Comment

by:snoopaloop
ID: 33784894
nope
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question