Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

group policy service restriction prolicy

Posted on 2013-05-26
11
390 Views
Last Modified: 2013-07-15
Hi Experts,

In my environment, everyone is a local administrator and I want to prevent some of the essential services to be disabled by them. I tried to use the "system services" policy in computer configuration -> windows settings -> security settings but I found difficulties to know what permission i need to assign to a particular service. I tried to follow what I found in the service.msc to assign full control to system, local service and network service but still no luck, it caused services like event viewer, firewall, WMI to stop startup.

What i have setup is like this, e.g, windows firewall, i tried 2 different permission set:-

set 1:
1> remove local administrators group
2> add local service and give it full permission
3> keep the default system permission (full)
4> keep the default interactive permission (read)
5> add domain admins to have full permission

set 2:
1> keep local administrators group and remove the "start, stop, pause" permission
2> keep the default system permission (full)
3> keep the default interactive permission (read)
4> add domain admin to have full permission

anyone know how or what I can do to achieve my goal?
0
Comment
Question by:nokyplease
  • 4
  • 2
  • 2
  • +1
11 Comments
 
LVL 9

Expert Comment

by:jsdray
ID: 39197568
You're setting yourself up for a headache. ;)  Your best bet is to not give everyone local admin.  If they are trusted on their local machines, then let them kill what they want and deal with it.  If they are not trusted to stop certain services, then remove the user(s) from local admin.
0
 

Author Comment

by:nokyplease
ID: 39197573
I can't because they need the local admin rights and I know best to not give them this permission.....
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 39199879
Hi.

You found the right spot to modify the ACLs of the services. Grant the right to start the service to domain admins and remove (NOT deny) the "stop service" privilege from administrators - that's all.

But be aware that local admins stay local admins - if they wanted, they could free themselves of GPO restrictions for good.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 59

Expert Comment

by:LeeTutor
ID: 39264462
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39264463
0
 

Author Comment

by:nokyplease
ID: 39268390
i still have problem of some services failed to start after i changed a lot of service ACL in group policy by removing the stop permission of local admins. do i need to specify the local service and/or network service as well in the group policy?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39269185
Ah, still there? :)
If you remove a stop permission, this will not result in anyone being able to start it.
Please quote the error on starting and also tell us what account is being used to start the service, account system or a user account?
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39326353
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39326354
Hi LeeTutor.

I had objected already.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28139284.html#a39199879 solves it as anyone can quickly verify. "
This is verifiable. If nokyplease ceases to respond, it is still verifiable as solution. Please do verify. As this is not nuclear physics but simple ACLs, the outcome is obvious. Stating "Not enough information to confirm an answer." makes me feel my efforts are being ignored, repeating it without further notice even ridicules them from my perspective.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question