none
How can you append/merge security policy settings?

    Question

  • Hi,

    We have an application that requires us to add a domain account to the replace a process level token user right on all our servers.

    It is not possible to do this via group policy because once set this overides anything that has been configured locally. IIS,SQL and some 3rd party applications add accounts to this policy when they are installed. When a GPO is configured these accounts get removed and it just leaves LOCAL SERVICE and NETWORK plus any accounts configured in the GPO.

    We can do this manually by simply running secpol.msc on a server and adding the relevant account which appends it to the list. However we need to do this for several thousand machines.

    How can this be scripted / automated? We thought this might be possible using secedit but again this only replaces and does not append the list.

    Thanks.

    Thursday, March 27, 2014 7:36 PM

All replies

  • Hi,

    >>IIS,SQL and some 3rd party applications add accounts to this policy when they are installed.

    What is the policy? Besides, I want to confirm whether we can add these account via Group Policy. If yes, we can re-add these accounts in the GPO.

    >>How can this be scripted / automated?

    Regarding this question, we can ask for help in the following scripting forum.

    The Official Scripting Guys Forum

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc

    If we can get such a script, we can deploy this script via group policy.

    Best regards,

    Frank Shen


    Monday, March 31, 2014 8:17 AM
    Moderator
  • Hi,

    It is the "Replace a process level token" right.

    It looks like the default entries are LOCAL SERVICE and NETWORK SERVICE

    We don't make any changes to this setting but it gets populated when you install applications on to the servers.

    I can't come up with a definitive list of what accounts get put in there as it will depend on what has been installed (and there are several thousand servers) and will almost certainly be changing on a daily basis so if we applied a GPO that could potentially break applications.

    Looking on a couple of machines I have seen these in the list

    LOCAL SERVICE

    NETWORK SERVICE

    Acronis Agent User

    Help

    Classic .NET AppPool

    DefaultAppPool

    NT SERVICE\MSSQL$SQLEXPRESS

    SQLServerSQLAgentUser$scm-1$SQLExpress

    IIS Apppool\site1

    NT SERVICE\MSSQLSERVER

    NT SERVICE\SQLSERVERAGENT

    Playing with Secedit exporting and importing/configuring results in some error stating unable to enumerate SIDs.

    Thanks.

    Tuesday, April 01, 2014 7:31 PM