Have GPO add an account to all domain computers and set 3 services to log on as that account instead of the SYSTEM account.

I am trying desperately to figure out how to have a local account run a service instead of using the SYSTEM account. I need to do this through GPO and I feel like I am either NOT going  to be able to do this or I need to go through a lot of steps to get this working.

So basically, I have 3 services running under the SYSTEM account and one SQL instance running under SYSTEM. I need to change only these to run under a different account and I have to be able to set this all up on 1000 computers via GPO.

I am going to go through the steps that I went through so far.. The issue is when I try to add the account under Computer Configuration | Preferences | Control Panel Settings | Services

I get the Warning: CPassword attribute has been deprecated to minimize security risk. Instead, you should use secure built-in user accounts to create Services Group Policy Preferences.

I kind of understand that the local account that I created is not a built-in account but I cant find a way to do so.

Changes made so far:

A local group was created on my computer so that I can use it in GPO. I also created the local account.
Local group name: Program Services Group
Members: AppServiceAcct

Local account name: AppServiceAcct
Group: Program Services Group
Added a password
Password never expires

Step 2
GPO location:      
      Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
Local group created in GPO: Program Services Group
      -Action: Create
      -Add AppServiceAcct under Members

Step 3
GPO Location:
      Computer Configuration | Policies | Windows Settings | Security Settings | File System
All 3 files that run as a service had the following permissions added/modified via GPO:
New Settings:
Authenticated Users
      Read & Execute
      Read & Execute
      Read & Execute
      Read & Execute
Local account added to all files:
      Full Control

Step 4
GPO Location:
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment |Log on as a service
Add the group: Program Services Group
Added the user: AppServiceAcct

Step 5
GPO Location:
Computer Configuration | Preferences | Control Panel Settings | Services
Set the services to log on as AppServiceAcct
And this is where I continue to get the warning I put in the beginning. It will not populate and I have run out of ideas..

How would I go about having GPO add an account to all of my computers on the domain and have it set the 3 services that I specify and the SQL instance to log on as this account instead of the SYSTEM account? Any help would be greatly appreciated..
Who is Participating?
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
//use net user to set the password and combine it with the above sc command
net user username password
sc.exe config "Service Name" obj= "User" password= "password"
JeffG2583Connect With a Mentor Commented:
It looks like you've got the hard part done by creating the user accounts via GPO. You could always throw something like the below into a batch file and apply it through your GPO... Just a thought.

sc.exe config "Service Name" obj= "User" password= "password"
prologic08Author Commented:
This allowed me to add the password, thank you. I only worry that the password is in a txt file but I guess this is my only way.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.