Solved

Configuring Group Policy to create Security group for service / application account ?

Posted on 2014-11-09
16
177 Views
Last Modified: 2014-11-30
Hi All,

Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:

1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2

Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?

Any help would be greatly appreciated.

Thanks
0
Comment
  • 9
  • 7
16 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432209
Please describe what you would like to do.
Like this: "I'd like to modify a service on a number of servers, so that service's account will be changed to account X. Account X should be used because..."

Then we could help.

Without that info, I assume it would be best to use group policy preferences to change the account to the system account. On domains, the system account may access network resources, by the way.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40432515
ok, here's what I'd like to achieve:

I'd like to create a security group where this security group contains all of the service account that can be used by user to login and to start services in a member server. This account should not be able to restart the server or become the local administrator of the server.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432798
OK, understood.
You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well. They would need to get the permission to logon to that server as well, do they have that already? If not, use a GPO on that servers and assign the permission "allow logon locally" and "allow logon through remote desktop services" to that users.

Be aware that letting a user logon to a server is not the best security practice. You could use scheduled tasks to let the user (re-)start serviuces from remote using sc.exe.
That task would need to use server admin credentials though.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40433727
The is is Windows Server 2008 R2.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.

At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40434069
ok, I have created the GPO and then add some AD security groups as per below settings:

Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system

Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators

Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators

Log on as a service:
DOMAIN\Allow - Log on as a service

Replace a process level token:
DOMAIN\Allow - Replace a process level token, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE

but somehow the service account still cannot stop or start the service ?

do I missed any steps in the above User Rights assignment ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40434403
Seems you missed the first part of my instructions, the link.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40468001
McKnife,

So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40468513
You are confusing me.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472412
I'm asking about the rollback plan, because somehow some service stopped randomly in various different server.
the event viewer says that it is because lack of logon as service.

so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40472414
It should undo after removal of policy. Stage it for a test. Of course if you remove the policy at the DC, it will not apply immediately but at the next reboot or next background refresh of the target server. To test it immediately, do a
gpupdate /force /target:computer at the target server on an elevated command prompt.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472436
ok, so in this case everything should be "allowed" if the GPO is deleted at the higher hierarchy ?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40472446
Yes. But test it anyway.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472462
Thanks McKnife,

I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".

There is no testing domain, I only have production domain.

so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40472470
You don't need a test domain, just a test machine and a test GPO. Please test it, always better.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40472967
Thanks !
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472973
I have disabled the GPO link, hopefully they are inactive.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now