?
Solved

Configuring Group Policy to create Security group for service / application account ?

Posted on 2014-11-09
16
Medium Priority
?
184 Views
Last Modified: 2014-11-30
Hi All,

Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:

1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2

Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?

Any help would be greatly appreciated.

Thanks
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 40432209
Please describe what you would like to do.
Like this: "I'd like to modify a service on a number of servers, so that service's account will be changed to account X. Account X should be used because..."

Then we could help.

Without that info, I assume it would be best to use group policy preferences to change the account to the system account. On domains, the system account may access network resources, by the way.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40432515
ok, here's what I'd like to achieve:

I'd like to create a security group where this security group contains all of the service account that can be used by user to login and to start services in a member server. This account should not be able to restart the server or become the local administrator of the server.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 40432798
OK, understood.
You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well. They would need to get the permission to logon to that server as well, do they have that already? If not, use a GPO on that servers and assign the permission "allow logon locally" and "allow logon through remote desktop services" to that users.

Be aware that letting a user logon to a server is not the best security practice. You could use scheduled tasks to let the user (re-)start serviuces from remote using sc.exe.
That task would need to use server admin credentials though.
0
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40433727
The is is Windows Server 2008 R2.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.

At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40434069
ok, I have created the GPO and then add some AD security groups as per below settings:

Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system

Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators

Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators

Log on as a service:
DOMAIN\Allow - Log on as a service

Replace a process level token:
DOMAIN\Allow - Replace a process level token, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE

but somehow the service account still cannot stop or start the service ?

do I missed any steps in the above User Rights assignment ?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40434403
Seems you missed the first part of my instructions, the link.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40468001
McKnife,

So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40468513
You are confusing me.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472412
I'm asking about the rollback plan, because somehow some service stopped randomly in various different server.
the event viewer says that it is because lack of logon as service.

so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40472414
It should undo after removal of policy. Stage it for a test. Of course if you remove the policy at the DC, it will not apply immediately but at the next reboot or next background refresh of the target server. To test it immediately, do a
gpupdate /force /target:computer at the target server on an elevated command prompt.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472436
ok, so in this case everything should be "allowed" if the GPO is deleted at the higher hierarchy ?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40472446
Yes. But test it anyway.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472462
Thanks McKnife,

I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".

There is no testing domain, I only have production domain.

so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40472470
You don't need a test domain, just a test machine and a test GPO. Please test it, always better.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 40472967
Thanks !
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40472973
I have disabled the GPO link, hopefully they are inactive.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question