We are trying to enforce non-interactive logons for all service accounts. We are planning to accomplish this by placing all service accounts into a security group and applying a global GPO to all workstation and server OUs to deny logon locally and through Terminal Services to accounts in that security group. We’ve tested this and it works well. During the testing, we noticed that the ASPNET local account was configured in the local security policy for ‘Deny Logon Locally’. When we apply the GPO, that local policy gets overwritten by the GPO according to the Local à Site à Domain à OU processing order.
From research I’ve done, it looks like Microsoft included the ASPNET account in deny logon locally Local Security Policy to weaken the account and help prevent revert-to-self attacks.
Is there a way to merge the local policy with the global GPO? We’ve looked into loopback processing of GPOs, but it appears that it is only for User Configuration settings, and not Computer Configuration settings. Has anyone been able to solve this sort of issue? What options do we have to enforce the global GPO while maintaining the security posture of the ASPNET account?