asked on
Have GPO add an account to all domain computers and set 3 services to log on as that account instead of the SYSTEM account.
I am trying desperately to figure out how to have a local account run a service instead of using the SYSTEM account. I need to do this through GPO and I feel like I am either NOT going to be able to do this or I need to go through a lot of steps to get this working.
So basically, I have 3 services running under the SYSTEM account and one SQL instance running under SYSTEM. I need to change only these to run under a different account and I have to be able to set this all up on 1000 computers via GPO.
I am going to go through the steps that I went through so far.. The issue is when I try to add the account under Computer Configuration | Preferences | Control Panel Settings | Services
I get the Warning: CPassword attribute has been deprecated to minimize security risk. Instead, you should use secure built-in user accounts to create Services Group Policy Preferences.
I kind of understand that the local account that I created is not a built-in account but I cant find a way to do so.
Changes made so far:
Step1
A local group was created on my computer so that I can use it in GPO. I also created the local account.
Local group name: Program Services Group
Members: AppServiceAcct
Local account name: AppServiceAcct
Group: Program Services Group
Added a password
Password never expires
Step 2
GPO location:
Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
Local group created in GPO: Program Services Group
-Action: Create
-Add AppServiceAcct under Members
Step 3
GPO Location:
Computer Configuration | Policies | Windows Settings | Security Settings | File System
All 3 files that run as a service had the following permissions added/modified via GPO:
New Settings:
Authenticated Users
Read & Execute
Read
SYSTEM
Read & Execute
Read
Administrators
Read & Execute
Read
Users
Read & Execute
Read
Local account added to all files:
AppServiceAcct
Full Control
Step 4
GPO Location:
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment |Log on as a service
Add the group: Program Services Group
Added the user: AppServiceAcct
Step 5
GPO Location:
Computer Configuration | Preferences | Control Panel Settings | Services
Set the services to log on as AppServiceAcct
And this is where I continue to get the warning I put in the beginning. It will not populate and I have run out of ideas..
How would I go about having GPO add an account to all of my computers on the domain and have it set the 3 services that I specify and the SQL instance to log on as this account instead of the SYSTEM account? Any help would be greatly appreciated..
So basically, I have 3 services running under the SYSTEM account and one SQL instance running under SYSTEM. I need to change only these to run under a different account and I have to be able to set this all up on 1000 computers via GPO.
I am going to go through the steps that I went through so far.. The issue is when I try to add the account under Computer Configuration | Preferences | Control Panel Settings | Services
I get the Warning: CPassword attribute has been deprecated to minimize security risk. Instead, you should use secure built-in user accounts to create Services Group Policy Preferences.
I kind of understand that the local account that I created is not a built-in account but I cant find a way to do so.
Changes made so far:
Step1
A local group was created on my computer so that I can use it in GPO. I also created the local account.
Local group name: Program Services Group
Members: AppServiceAcct
Local account name: AppServiceAcct
Group: Program Services Group
Added a password
Password never expires
Step 2
GPO location:
Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
Local group created in GPO: Program Services Group
-Action: Create
-Add AppServiceAcct under Members
Step 3
GPO Location:
Computer Configuration | Policies | Windows Settings | Security Settings | File System
All 3 files that run as a service had the following permissions added/modified via GPO:
New Settings:
Authenticated Users
Read & Execute
Read
SYSTEM
Read & Execute
Read
Administrators
Read & Execute
Read
Users
Read & Execute
Read
Local account added to all files:
AppServiceAcct
Full Control
Step 4
GPO Location:
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment |Log on as a service
Add the group: Program Services Group
Added the user: AppServiceAcct
Step 5
GPO Location:
Computer Configuration | Preferences | Control Panel Settings | Services
Set the services to log on as AppServiceAcct
And this is where I continue to get the warning I put in the beginning. It will not populate and I have run out of ideas..
How would I go about having GPO add an account to all of my computers on the domain and have it set the 3 services that I specify and the SQL instance to log on as this account instead of the SYSTEM account? Any help would be greatly appreciated..
Active DirectoryMicrosoft Legacy OSMicrosoft Applications
Last Comment
prologic08
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
This allowed me to add the password, thank you. I only worry that the password is in a txt file but I guess this is my only way.