Solved

Group Policy Objects: Default Domain GPO and Default Domain Controller GPO

Posted on 2010-09-23
6
559 Views
Last Modified: 2013-11-25
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci960369_mem1,00.html
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci959361_mem1,00.html

I read up on improving the two GPOs due to RIM (Blackberry) requesting that I establish the BES account as a service and allow log on locally for the BES account too.  They mention not to have the BES account as a Domain Admin but I digress.  Anyway, I was about to place at the "Default Domain Policy" as the guy was encouraging me to do so then I thought wtf I'm doing.  So I have a time out of sorts to research where do I place the GPO and who should it apply to.  Also, what accounts should be included.  Anyway, I just opened pandora's so all this is a bit too overwhelming and I would appreciate some baby steps in resolving this issue of what exactly goes into the "log on as a service" and "log on locally" and where should it be applied?  I guess I'm worried of breaking something if the accounts are applied and the servers require some other account. Attached are some pics as I am very much a visual person.
EE1.jpg
EE2.jpg
0
Comment
Question by:snoopaloop
  • 3
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
thiagotietze earned 167 total points
ID: 33748650
What are the main requirements for the BES service account? I think it just needs to be an local administrator for the BES server.

In my point of view, it is very better for you to create a new OU, called "Service Accounts" for example, and give them the necessary rights (logon as service and logon locally) in a new brand GPO.
You can use this OU to store service accounts (like Backup service accounts, os something like that, for example...), and keeps your AD clean.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33748653
I wrote an article that could give you a bit of information on this. Here: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3360-Understanding-User-Rights-Assignment-How-to-lock-down-or-unlock-your-user%27s-actions.html

Basically, the account that you are going to be using to administer the BES software with is the one that needs the Log on Locally right. The account that you use to run the services with will need the Log on as a service right. However you choose to handle it, I would recommend *against* making changes to the Default Domain Controllers and Default Domain policies. Create a new GPO and set the user rights configuration in it, then link it to the Domain Controllers OU.

Going a little more in depth, any time you configure a User Rights assignment in a GPO, especially the Log on as XXX rights, you should link that GPO to the Domain Controllers OU. Also, if you plan to log on to the BES server through Remote Desktop, you'll want to add the Log on through terminal services right for the besadmin account.
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 33774948
A service Accounts OU sounds appealing.  Though, I'm still struggling w the whole concept..  Blackberry references http://www.blackberry.com/btsc/documentLink.do?externalID=KB02276 to login Besadmin locally.  Why would you do that?  Shouldn't service accounts be strictly service?  I also viewed various networks to see who is exactly provided login locally through GPO.   I viewed a very small business practice w/ built accounts set to log on locally while an enterprise setup has a hybrid situation of domain and builtin accounts that appear to for the most part all service accounts.  I guess I'm really struggling who qualifies to be added to log locally?  I will read your article again and any resource material I have laying around. As of right now,with what I referenced, it just doesn't make any sense
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33775549
BES recommends giving it the Log on Locally right because they want you to be able to log in to the server with that account for administrative purposes. It isn't 100% necessary, but it's very handy to have that ability. Adding the Besadmin account to the Local Administrators group will actually cause the account to gain that right automatically, because the Local Admin group has the right to log in locally assigned to it already. Since it sounds like the account is going to be performing double duty, that is, logging on as a service and as an administrative account, You'll want to set it up so it has to Log on as a service right as well as adding it to the local administrator's group. The reason for adding it as a local administrator is primarily so the services have the file access they need to operate properly.
0
 
LVL 1

Author Comment

by:snoopaloop
ID: 33784779
Thanks!  I just applied the settings log on locally and log on as a service on the BES member server itself.  I will start re-evaluating though how we apply these GPO in the future.
0
 
LVL 1

Author Closing Comment

by:snoopaloop
ID: 33784894
nope
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now