Solved

Configuring Group Policy to create Security group for service / application account ?

Posted on 2014-11-09
16
171 Views
Last Modified: 2014-11-30
Hi All,

Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:

1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2

Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?

Any help would be greatly appreciated.

Thanks
0
Comment
  • 9
  • 7
16 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432209
Please describe what you would like to do.
Like this: "I'd like to modify a service on a number of servers, so that service's account will be changed to account X. Account X should be used because..."

Then we could help.

Without that info, I assume it would be best to use group policy preferences to change the account to the system account. On domains, the system account may access network resources, by the way.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40432515
ok, here's what I'd like to achieve:

I'd like to create a security group where this security group contains all of the service account that can be used by user to login and to start services in a member server. This account should not be able to restart the server or become the local administrator of the server.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432798
OK, understood.
You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well. They would need to get the permission to logon to that server as well, do they have that already? If not, use a GPO on that servers and assign the permission "allow logon locally" and "allow logon through remote desktop services" to that users.

Be aware that letting a user logon to a server is not the best security practice. You could use scheduled tasks to let the user (re-)start serviuces from remote using sc.exe.
That task would need to use server admin credentials though.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40433727
The is is Windows Server 2008 R2.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.

At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40434069
ok, I have created the GPO and then add some AD security groups as per below settings:

Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system

Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators

Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators

Log on as a service:
DOMAIN\Allow - Log on as a service

Replace a process level token:
DOMAIN\Allow - Replace a process level token, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE

but somehow the service account still cannot stop or start the service ?

do I missed any steps in the above User Rights assignment ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40434403
Seems you missed the first part of my instructions, the link.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40468001
McKnife,

So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40468513
You are confusing me.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472412
I'm asking about the rollback plan, because somehow some service stopped randomly in various different server.
the event viewer says that it is because lack of logon as service.

so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40472414
It should undo after removal of policy. Stage it for a test. Of course if you remove the policy at the DC, it will not apply immediately but at the next reboot or next background refresh of the target server. To test it immediately, do a
gpupdate /force /target:computer at the target server on an elevated command prompt.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472436
ok, so in this case everything should be "allowed" if the GPO is deleted at the higher hierarchy ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40472446
Yes. But test it anyway.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472462
Thanks McKnife,

I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".

There is no testing domain, I only have production domain.

so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40472470
You don't need a test domain, just a test machine and a test GPO. Please test it, always better.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40472967
Thanks !
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472973
I have disabled the GPO link, hopefully they are inactive.
0

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now