Group Policy Objects: Default Domain GPO and Default Domain Controller GPO

Posted on 2010-09-23
Last Modified: 2013-11-25,289483,sid68_gci960369_mem1,00.html,289483,sid1_gci959361_mem1,00.html

I read up on improving the two GPOs due to RIM (Blackberry) requesting that I establish the BES account as a service and allow log on locally for the BES account too.  They mention not to have the BES account as a Domain Admin but I digress.  Anyway, I was about to place at the "Default Domain Policy" as the guy was encouraging me to do so then I thought wtf I'm doing.  So I have a time out of sorts to research where do I place the GPO and who should it apply to.  Also, what accounts should be included.  Anyway, I just opened pandora's so all this is a bit too overwhelming and I would appreciate some baby steps in resolving this issue of what exactly goes into the "log on as a service" and "log on locally" and where should it be applied?  I guess I'm worried of breaking something if the accounts are applied and the servers require some other account. Attached are some pics as I am very much a visual person.
Question by:snoopaloop
  • 3
  • 2

Accepted Solution

thiagotietze earned 167 total points
ID: 33748650
What are the main requirements for the BES service account? I think it just needs to be an local administrator for the BES server.

In my point of view, it is very better for you to create a new OU, called "Service Accounts" for example, and give them the necessary rights (logon as service and logon locally) in a new brand GPO.
You can use this OU to store service accounts (like Backup service accounts, os something like that, for example...), and keeps your AD clean.
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33748653
I wrote an article that could give you a bit of information on this. Here:

Basically, the account that you are going to be using to administer the BES software with is the one that needs the Log on Locally right. The account that you use to run the services with will need the Log on as a service right. However you choose to handle it, I would recommend *against* making changes to the Default Domain Controllers and Default Domain policies. Create a new GPO and set the user rights configuration in it, then link it to the Domain Controllers OU.

Going a little more in depth, any time you configure a User Rights assignment in a GPO, especially the Log on as XXX rights, you should link that GPO to the Domain Controllers OU. Also, if you plan to log on to the BES server through Remote Desktop, you'll want to add the Log on through terminal services right for the besadmin account.

Author Comment

ID: 33774948
A service Accounts OU sounds appealing.  Though, I'm still struggling w the whole concept..  Blackberry references to login Besadmin locally.  Why would you do that?  Shouldn't service accounts be strictly service?  I also viewed various networks to see who is exactly provided login locally through GPO.   I viewed a very small business practice w/ built accounts set to log on locally while an enterprise setup has a hybrid situation of domain and builtin accounts that appear to for the most part all service accounts.  I guess I'm really struggling who qualifies to be added to log locally?  I will read your article again and any resource material I have laying around. As of right now,with what I referenced, it just doesn't make any sense
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 333 total points
ID: 33775549
BES recommends giving it the Log on Locally right because they want you to be able to log in to the server with that account for administrative purposes. It isn't 100% necessary, but it's very handy to have that ability. Adding the Besadmin account to the Local Administrators group will actually cause the account to gain that right automatically, because the Local Admin group has the right to log in locally assigned to it already. Since it sounds like the account is going to be performing double duty, that is, logging on as a service and as an administrative account, You'll want to set it up so it has to Log on as a service right as well as adding it to the local administrator's group. The reason for adding it as a local administrator is primarily so the services have the file access they need to operate properly.

Author Comment

ID: 33784779
Thanks!  I just applied the settings log on locally and log on as a service on the BES member server itself.  I will start re-evaluating though how we apply these GPO in the future.

Author Closing Comment

ID: 33784894

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
"Disruption" is the most feared word for C-level executives these days. They agonize over their industry being disturbed by another player - most likely by startups.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now