Solved

Configuring Group Policy to create Security group for service / application account ?

Posted on 2014-11-09
16
183 Views
Last Modified: 2014-11-30
Hi All,

Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:

1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2

Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?

Any help would be greatly appreciated.

Thanks
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432209
Please describe what you would like to do.
Like this: "I'd like to modify a service on a number of servers, so that service's account will be changed to account X. Account X should be used because..."

Then we could help.

Without that info, I assume it would be best to use group policy preferences to change the account to the system account. On domains, the system account may access network resources, by the way.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40432515
ok, here's what I'd like to achieve:

I'd like to create a security group where this security group contains all of the service account that can be used by user to login and to start services in a member server. This account should not be able to restart the server or become the local administrator of the server.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432798
OK, understood.
You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well. They would need to get the permission to logon to that server as well, do they have that already? If not, use a GPO on that servers and assign the permission "allow logon locally" and "allow logon through remote desktop services" to that users.

Be aware that letting a user logon to a server is not the best security practice. You could use scheduled tasks to let the user (re-)start serviuces from remote using sc.exe.
That task would need to use server admin credentials though.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40433727
The is is Windows Server 2008 R2.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.

At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40434069
ok, I have created the GPO and then add some AD security groups as per below settings:

Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system

Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators

Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators

Log on as a service:
DOMAIN\Allow - Log on as a service

Replace a process level token:
DOMAIN\Allow - Replace a process level token, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE

but somehow the service account still cannot stop or start the service ?

do I missed any steps in the above User Rights assignment ?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40434403
Seems you missed the first part of my instructions, the link.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40468001
McKnife,

So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40468513
You are confusing me.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472412
I'm asking about the rollback plan, because somehow some service stopped randomly in various different server.
the event viewer says that it is because lack of logon as service.

so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40472414
It should undo after removal of policy. Stage it for a test. Of course if you remove the policy at the DC, it will not apply immediately but at the next reboot or next background refresh of the target server. To test it immediately, do a
gpupdate /force /target:computer at the target server on an elevated command prompt.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472436
ok, so in this case everything should be "allowed" if the GPO is deleted at the higher hierarchy ?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40472446
Yes. But test it anyway.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472462
Thanks McKnife,

I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".

There is no testing domain, I only have production domain.

so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40472470
You don't need a test domain, just a test machine and a test GPO. Please test it, always better.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 40472967
Thanks !
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472973
I have disabled the GPO link, hopefully they are inactive.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question