Configuring Group Policy to create Security group for service / application account ?

Hi All,

Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:

1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2

Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?

Any help would be greatly appreciated.

Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please describe what you would like to do.
Like this: "I'd like to modify a service on a number of servers, so that service's account will be changed to account X. Account X should be used because..."

Then we could help.

Without that info, I assume it would be best to use group policy preferences to change the account to the system account. On domains, the system account may access network resources, by the way.
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, here's what I'd like to achieve:

I'd like to create a security group where this security group contains all of the service account that can be used by user to login and to start services in a member server. This account should not be able to restart the server or become the local administrator of the server.
OK, understood.
You can use GPOs to empower selected users to (re-)start services on a server, see for a howto. That works for 2008/2012 servers as well. They would need to get the permission to logon to that server as well, do they have that already? If not, use a GPO on that servers and assign the permission "allow logon locally" and "allow logon through remote desktop services" to that users.

Be aware that letting a user logon to a server is not the best security practice. You could use scheduled tasks to let the user (re-)start serviuces from remote using sc.exe.
That task would need to use server admin credentials though.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Senior IT System EngineerIT ProfessionalAuthor Commented:
The is is Windows Server 2008 R2.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.

At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, I have created the GPO and then add some AD security groups as per below settings:

Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system

Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators

Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators

Log on as a service:
DOMAIN\Allow - Log on as a service

Replace a process level token:

but somehow the service account still cannot stop or start the service ?

do I missed any steps in the above User Rights assignment ?
Seems you missed the first part of my instructions, the link.
Senior IT System EngineerIT ProfessionalAuthor Commented:

So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
You are confusing me.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
Senior IT System EngineerIT ProfessionalAuthor Commented:
I'm asking about the rollback plan, because somehow some service stopped randomly in various different server.
the event viewer says that it is because lack of logon as service.

so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
It should undo after removal of policy. Stage it for a test. Of course if you remove the policy at the DC, it will not apply immediately but at the next reboot or next background refresh of the target server. To test it immediately, do a
gpupdate /force /target:computer at the target server on an elevated command prompt.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so in this case everything should be "allowed" if the GPO is deleted at the higher hierarchy ?
Yes. But test it anyway.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks McKnife,

I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".

There is no testing domain, I only have production domain.

so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
You don't need a test domain, just a test machine and a test GPO. Please test it, always better.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
Senior IT System EngineerIT ProfessionalAuthor Commented:
I have disabled the GPO link, hopefully they are inactive.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.