[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Have GPO add an account to all domain computers and set 3 services to log on as that account instead of the SYSTEM account.

Posted on 2014-12-05
3
Medium Priority
?
519 Views
Last Modified: 2014-12-12
I am trying desperately to figure out how to have a local account run a service instead of using the SYSTEM account. I need to do this through GPO and I feel like I am either NOT going  to be able to do this or I need to go through a lot of steps to get this working.

So basically, I have 3 services running under the SYSTEM account and one SQL instance running under SYSTEM. I need to change only these to run under a different account and I have to be able to set this all up on 1000 computers via GPO.

I am going to go through the steps that I went through so far.. The issue is when I try to add the account under Computer Configuration | Preferences | Control Panel Settings | Services

I get the Warning: CPassword attribute has been deprecated to minimize security risk. Instead, you should use secure built-in user accounts to create Services Group Policy Preferences.

I kind of understand that the local account that I created is not a built-in account but I cant find a way to do so.

Changes made so far:

Step1
A local group was created on my computer so that I can use it in GPO. I also created the local account.
Local group name: Program Services Group
Members: AppServiceAcct

Local account name: AppServiceAcct
Group: Program Services Group
Added a password
Password never expires


Step 2
GPO location:      
      Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
Local group created in GPO: Program Services Group
      -Action: Create
      -Add AppServiceAcct under Members



Step 3
GPO Location:
      Computer Configuration | Policies | Windows Settings | Security Settings | File System
All 3 files that run as a service had the following permissions added/modified via GPO:
New Settings:
Authenticated Users
      Read & Execute
        Read
SYSTEM
      Read & Execute
        Read
Administrators
      Read & Execute
        Read
Users
      Read & Execute
        Read
 
Local account added to all files:
AppServiceAcct
      Full Control


Step 4
GPO Location:
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment |Log on as a service
Add the group: Program Services Group
Added the user: AppServiceAcct


Step 5
GPO Location:
Computer Configuration | Preferences | Control Panel Settings | Services
Set the services to log on as AppServiceAcct
      
And this is where I continue to get the warning I put in the beginning. It will not populate and I have run out of ideas..

How would I go about having GPO add an account to all of my computers on the domain and have it set the 3 services that I specify and the SQL instance to log on as this account instead of the SYSTEM account? Any help would be greatly appreciated..
0
Comment
Question by:prologic08
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Assisted Solution

by:JeffG2583
JeffG2583 earned 1000 total points
ID: 40483726
It looks like you've got the hard part done by creating the user accounts via GPO. You could always throw something like the below into a batch file and apply it through your GPO... Just a thought.

sc.exe config "Service Name" obj= "User" password= "password"
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 1000 total points
ID: 40484086
//use net user to set the password and combine it with the above sc command
net user username password
sc.exe config "Service Name" obj= "User" password= "password"
0
 

Author Closing Comment

by:prologic08
ID: 40496269
This allowed me to add the password, thank you. I only worry that the password is in a txt file but I guess this is my only way.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question