• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 713
  • Last Modified:

GPO Overwriting local policy question

We are trying to enforce non-interactive logons for all service accounts.  We are planning to accomplish this by placing all service accounts into a security group and applying a global GPO to all workstation and server OUs to deny logon locally and through Terminal Services to accounts in that security group.  We’ve tested this and it works well.  During the testing, we noticed that the ASPNET local account was configured in the local security policy for ‘Deny Logon Locally’.  When we apply the GPO, that local policy gets overwritten by the GPO according to the Local à Site à Domain à OU processing order. 

From research I’ve done, it looks like Microsoft included the ASPNET account in deny logon locally Local Security Policy to weaken the account and help prevent revert-to-self attacks.
Is there a way to merge the local policy with the global GPO?  We’ve looked into loopback processing of GPOs, but it appears that it is only for User Configuration settings, and not Computer Configuration settings.  Has anyone been able to solve this sort of issue?  What options do we have to enforce the global GPO while maintaining the security posture of the ASPNET account?
0
gninos
Asked:
gninos
  • 3
  • 2
2 Solutions
 
arnoldCommented:
Add builtin\aspnet to the deny logon rule.
GPO supersedes local policy.
0
 
gninosAuthor Commented:
Arnold,
I'm editing the Deny Log on Locally GPO from the domain controller and clicking Add user, but I get the message:

An object named "BUILTIN\aspnet" cannot be found.

Am I missing something here?
0
 
arnoldCommented:
Unless you grant ASPNET allow logon locally, the local policy will still be enforced.
Try the following with a test domain account by adding into the systems local policy deny logon locally,
I think the deny rule locally will prevent the test domain account from logging in.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
gninosAuthor Commented:
When I enforce the GPO from the domain controller, the deny logon locally users are removed and replaced with the list of users from the GPO (and I can't add a local account to the GPO) so the aspnet account is no longer listed in the policy on the server.

Are you saying it's still being enforced even though it's not listed on the server ???? don't see how that's possible.
0
 
arnoldCommented:
Install Group POlicy Manager on another system where ASPNET exists locally and make the adjustment from there. The alternative is to Add a domain ASPNET account and add ASPNET on the DC which should pass the account existence test.
0
 
McKnifeCommented:
Hi.
Following arnold's thought: it should be even easier, the account does not need to be existant because we don't choose it by browsing local accounts.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now