Deployment of NT Service\XXXXX accounts via GPO
We have a number of domain based service accounts that are deployed via GPO
Unfortunaly this means, for some servers that run local services, their permissions get over written
i.e. NT Service\MSSQLServer is no longer allowed to logon as a service, as its not listed in teh accounts being pushed by GPO
What is the best way to allow these, do i just add NT Service\ALL Services to the GPO?
Unfortunaly this means, for some servers that run local services, their permissions get over written
i.e. NT Service\MSSQLServer is no longer allowed to logon as a service, as its not listed in teh accounts being pushed by GPO
What is the best way to allow these, do i just add NT Service\ALL Services to the GPO?
ASKER
Hi
Thanks for that and understand that GPO takes priority over local policy.
The issue i have is, there are some servers that run services as local accounts, and also run other services as domain accounts, is the only way around this is to give all services a domain account?
I cannot find any way to filter what service accounts get pushed down to what server,unless i create a large number of GPOS?
Thanks for that and understand that GPO takes priority over local policy.
The issue i have is, there are some servers that run services as local accounts, and also run other services as domain accounts, is the only way around this is to give all services a domain account?
I cannot find any way to filter what service accounts get pushed down to what server,unless i create a large number of GPOS?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So either you have to separate the servers by an OU or you have to put them into an AD group and filter the policy by this AD group.
Applying more permissions than needed it always not the best option.