Configuring Group Policy to create Security group for service / application account ?
Hi All,
Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:
1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2
Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?
Any help would be greatly appreciated.
Thanks
Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:
1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2
Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?
Any help would be greatly appreciated.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The is is Windows Server 2008 R2.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.
At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.
At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
ASKER
ok, I have created the GPO and then add some AD security groups as per below settings:
Computer Configuration (Enabled)\Policies\Windows
Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system
Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators
Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators
Log on as a service:
DOMAIN\Allow - Log on as a service
Replace a process level token:
DOMAIN\Allow - Replace a process level token, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
but somehow the service account still cannot stop or start the service ?
do I missed any steps in the above User Rights assignment ?
Computer Configuration (Enabled)\Policies\Windows
Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system
Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators
Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators
Log on as a service:
DOMAIN\Allow - Log on as a service
Replace a process level token:
DOMAIN\Allow - Replace a process level token, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
but somehow the service account still cannot stop or start the service ?
do I missed any steps in the above User Rights assignment ?
Seems you missed the first part of my instructions, the link.
ASKER
McKnife,
So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
You are confusing me.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
ASKER
I'm asking about the rollback plan, because somehow some service stopped randomly in various different server.
the event viewer says that it is because lack of logon as service.
so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
the event viewer says that it is because lack of logon as service.
so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, so in this case everything should be "allowed" if the GPO is deleted at the higher hierarchy ?
Yes. But test it anyway.
ASKER
Thanks McKnife,
I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".
There is no testing domain, I only have production domain.
so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".
There is no testing domain, I only have production domain.
so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
You don't need a test domain, just a test machine and a test GPO. Please test it, always better.
ASKER
Thanks !
ASKER
I have disabled the GPO link, hopefully they are inactive.
ASKER
I'd like to create a security group where this security group contains all of the service account that can be used by user to login and to start services in a member server. This account should not be able to restart the server or become the local administrator of the server.