GPO Overwriting local policy question

Posted on 2012-09-04
Last Modified: 2013-01-07
We are trying to enforce non-interactive logons for all service accounts.  We are planning to accomplish this by placing all service accounts into a security group and applying a global GPO to all workstation and server OUs to deny logon locally and through Terminal Services to accounts in that security group.  We’ve tested this and it works well.  During the testing, we noticed that the ASPNET local account was configured in the local security policy for ‘Deny Logon Locally’.  When we apply the GPO, that local policy gets overwritten by the GPO according to the Local à Site à Domain à OU processing order. 

From research I’ve done, it looks like Microsoft included the ASPNET account in deny logon locally Local Security Policy to weaken the account and help prevent revert-to-self attacks.
Is there a way to merge the local policy with the global GPO?  We’ve looked into loopback processing of GPOs, but it appears that it is only for User Configuration settings, and not Computer Configuration settings.  Has anyone been able to solve this sort of issue?  What options do we have to enforce the global GPO while maintaining the security posture of the ASPNET account?
Question by:gninos
    LVL 76

    Expert Comment

    Add builtin\aspnet to the deny logon rule.
    GPO supersedes local policy.

    Author Comment

    I'm editing the Deny Log on Locally GPO from the domain controller and clicking Add user, but I get the message:

    An object named "BUILTIN\aspnet" cannot be found.

    Am I missing something here?
    LVL 76

    Accepted Solution

    Unless you grant ASPNET allow logon locally, the local policy will still be enforced.
    Try the following with a test domain account by adding into the systems local policy deny logon locally,
    I think the deny rule locally will prevent the test domain account from logging in.

    Author Comment

    When I enforce the GPO from the domain controller, the deny logon locally users are removed and replaced with the list of users from the GPO (and I can't add a local account to the GPO) so the aspnet account is no longer listed in the policy on the server.

    Are you saying it's still being enforced even though it's not listed on the server ???? don't see how that's possible.
    LVL 76

    Assisted Solution

    Install Group POlicy Manager on another system where ASPNET exists locally and make the adjustment from there. The alternative is to Add a domain ASPNET account and add ASPNET on the DC which should pass the account existence test.
    LVL 52

    Expert Comment

    Following arnold's thought: it should be even easier, the account does not need to be existant because we don't choose it by browsing local accounts.

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    Join & Write a Comment

    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
    The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now