Solved

Configuring Group Policy to create Security group for service / application account ?

Posted on 2014-11-09
16
182 Views
Last Modified: 2014-11-30
Hi All,

Can anyone here please let me know what sort of AD permission or Group Policy settings that I need to know to properly create AD Service Account with the following requirements:

1. Login as limited user account.
2. Able to start and stop windows service.
3. able to run the application at the background.
4. Running Scheduled task on WIndows Server 2008 R2

Ideally the rule is set at the GPO for all of the servers that in my domain, but I'm not sure where to apply the GPO from ?
Do I edit the GPO for Default Domain... or I need to create one and configure something else ?

Any help would be greatly appreciated.

Thanks
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432209
Please describe what you would like to do.
Like this: "I'd like to modify a service on a number of servers, so that service's account will be changed to account X. Account X should be used because..."

Then we could help.

Without that info, I assume it would be best to use group policy preferences to change the account to the system account. On domains, the system account may access network resources, by the way.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40432515
ok, here's what I'd like to achieve:

I'd like to create a security group where this security group contains all of the service account that can be used by user to login and to start services in a member server. This account should not be able to restart the server or become the local administrator of the server.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 40432798
OK, understood.
You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well. They would need to get the permission to logon to that server as well, do they have that already? If not, use a GPO on that servers and assign the permission "allow logon locally" and "allow logon through remote desktop services" to that users.

Be aware that letting a user logon to a server is not the best security practice. You could use scheduled tasks to let the user (re-)start serviuces from remote using sc.exe.
That task would need to use server admin credentials though.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40433727
The is is Windows Server 2008 R2.
The application is an old application server (legacy) which must be executed and run in foreground so that the client application from the workstation can communicates.

At the moment it is running under the Local administrator account which is deemed not the best practice I guess.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40434069
ok, I have created the GPO and then add some AD security groups as per below settings:

Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Act as part of the operating system:
DOMAIN\Allow - Act as part of the operating system

Allow log on locally:
DOMAIN\Domain Admins, DOMAIN\Allow - Log on locally, BUILTIN\Remote Desktop Users, BUILTIN\Administrators

Log on as a batch job:
DOMAIN\Allow - Log on as a batch job, BUILTIN\Administrators

Log on as a service:
DOMAIN\Allow - Log on as a service

Replace a process level token:
DOMAIN\Allow - Replace a process level token, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE

but somehow the service account still cannot stop or start the service ?

do I missed any steps in the above User Rights assignment ?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40434403
Seems you missed the first part of my instructions, the link.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40468001
McKnife,

So If I delete or disable the GPo object, would those rights effectively gets removed or leave until the server gets rebooted ?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40468513
You are confusing me.
The "first part" I was talking of is this: "You can use GPOs to empower selected users to (re-)start services on a server, see https://support.microsoft.com/kb/256345?wa=wsignin1.0 for a howto. That works for 2008/2012 servers as well."
->Did you do this already? Why would you worry about disabling the policy again, at the moment? Yes, those permissions should get removed as soon as the modified policy would apply.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472412
I'm asking about the rollback plan, because somehow some service stopped randomly in various different server.
the event viewer says that it is because lack of logon as service.

so in case I need to undo everything, can I just delete the GPO object that I created at the top of the OU container and those accounts or service accounts will not have any issue to logon to the server ?
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40472414
It should undo after removal of policy. Stage it for a test. Of course if you remove the policy at the DC, it will not apply immediately but at the next reboot or next background refresh of the target server. To test it immediately, do a
gpupdate /force /target:computer at the target server on an elevated command prompt.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472436
ok, so in this case everything should be "allowed" if the GPO is deleted at the higher hierarchy ?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40472446
Yes. But test it anyway.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472462
Thanks McKnife,

I just need a working roll back plan in case I missed or cannot figure out which accounts needs to have the allow "Log on locally".

There is no testing domain, I only have production domain.

so once I right click delete the GPO, then I assume everything should be rolled back to what it was before (no privileges revoked for all service account).
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40472470
You don't need a test domain, just a test machine and a test GPO. Please test it, always better.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40472967
Thanks !
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40472973
I have disabled the GPO link, hopefully they are inactive.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question