GPO Overwriting local policy question

Posted on 2012-09-04
Medium Priority
Last Modified: 2013-01-07
We are trying to enforce non-interactive logons for all service accounts.  We are planning to accomplish this by placing all service accounts into a security group and applying a global GPO to all workstation and server OUs to deny logon locally and through Terminal Services to accounts in that security group.  We’ve tested this and it works well.  During the testing, we noticed that the ASPNET local account was configured in the local security policy for ‘Deny Logon Locally’.  When we apply the GPO, that local policy gets overwritten by the GPO according to the Local à Site à Domain à OU processing order. 

From research I’ve done, it looks like Microsoft included the ASPNET account in deny logon locally Local Security Policy to weaken the account and help prevent revert-to-self attacks.
Is there a way to merge the local policy with the global GPO?  We’ve looked into loopback processing of GPOs, but it appears that it is only for User Configuration settings, and not Computer Configuration settings.  Has anyone been able to solve this sort of issue?  What options do we have to enforce the global GPO while maintaining the security posture of the ASPNET account?
Question by:gninos
  • 3
  • 2
LVL 81

Expert Comment

ID: 38366477
Add builtin\aspnet to the deny logon rule.
GPO supersedes local policy.

Author Comment

ID: 38383363
I'm editing the Deny Log on Locally GPO from the domain controller and clicking Add user, but I get the message:

An object named "BUILTIN\aspnet" cannot be found.

Am I missing something here?
LVL 81

Accepted Solution

arnold earned 2000 total points
ID: 38383401
Unless you grant ASPNET allow logon locally, the local policy will still be enforced.
Try the following with a test domain account by adding into the systems local policy deny logon locally,
I think the deny rule locally will prevent the test domain account from logging in.
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 38383831
When I enforce the GPO from the domain controller, the deny logon locally users are removed and replaced with the list of users from the GPO (and I can't add a local account to the GPO) so the aspnet account is no longer listed in the policy on the server.

Are you saying it's still being enforced even though it's not listed on the server ???? don't see how that's possible.
LVL 81

Assisted Solution

arnold earned 2000 total points
ID: 38383955
Install Group POlicy Manager on another system where ASPNET exists locally and make the adjustment from there. The alternative is to Add a domain ASPNET account and add ASPNET on the DC which should pass the account existence test.
LVL 57

Expert Comment

ID: 38430947
Following arnold's thought: it should be even easier, the account does not need to be existant because we don't choose it by browsing local accounts.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question