none
Restricted user right assignment.

    Question

  • Hi,

    We need to give the permission Logon as s service for a few Servers to a bunch of user accounts. The final goal is run some Windows Services with those user accounts.

    To me the best solution would be using a GPO to give that permission through a GPO, but I just want to give the permission to only those servers. The only way I think I can acomplish that woulb be filtering with the Securty Filtering option of the GPO. Just removing the Authenticated users from the Security Filtering of the GPO and adding the machine account of those servers I want to apply the GPO to.

    This is quite straight forward, but the problem comes when you have to give the permission to 100 different accounts over 100 different servers, you'd have to create 100 different GPOs for each of them and I don't like to flood the domain with so many GPOs.

    Is there any other way to achieve that?

    Thank you,

    Monday, March 04, 2013 9:31 AM

Answers

All replies

  • Are all the servers in question in the same OU?

    I'd first start by creating a new AD group with all the users that will need access to the servers then use either the WMI filters or the Item-level-Targeting to specify which servers the GPO applies to 

    Monday, March 04, 2013 10:03 AM
  • The servers are distributed in different OUs, that's why I can't take advantage of AD OUs structure to apply the GPO.

    I don't like at all WMI filtering as they may be really sluggish depenging on the class.

    What do you mean with Item-level-Targeting?, it's the Security filtering within the Scope tab of the GPO? I've used that deature a lot of times but almost always for group made of user accounts. For worksations accounts you have to reboote the computer to get the new kerberos tikets or doing the trick with klist tool, what I don't lie very much.

    Thank you.


    • Edited by fedayn1 Monday, March 04, 2013 11:42 AM
    Monday, March 04, 2013 11:41 AM
  • Hey, You can use item-level targeting to change the scope of individual preference items, so they apply only to selected users or computers. Within a single Group Policy object (GPO), you can include multiple preference items, each customized for selected users or computers and each targeted to apply settings only to the relevant users or computers.

    You can target computers by name, make , Ram, disk space, ...

    Check this 

    http://technet.microsoft.com/en-gb/library/cc733022.aspx

    • Edited by J Razek Monday, March 04, 2013 12:02 PM
    Monday, March 04, 2013 12:00 PM
  • Hi Razek,

    Correct me wheter I'm wrong, but this is a security setting and not a Preference. I thin you can't use Targeting for this case.

    Tahank you.

    Monday, March 04, 2013 12:08 PM
  • Correct, i was playing around with the idea of deploying the group through the local User and Group Computer preference and using the Item level targeting then enabling the  Logon as Service policy but in my lab it applied it to all the machines in the OU and the targeting didn't work.

    The only way i managed to get it to work was through a WMI filter 

    Monday, March 04, 2013 2:48 PM
  • Is the WMI filter a fast option?, I tried out other times for depolying applications and was an absolute nightmare, it's really slow.

    Thank you.

    Tuesday, March 05, 2013 8:15 AM
  • WMI filters can take significant time to evaluate, so they can slow down logon and startup time. The amount of time depends on the construction of the query. 

    A name query shouldn't take as long as other queries which I assume you will be going for instead of OS or Architecture.

    Have a read through this 

    http://technet.microsoft.com/en-us/library/cc758471(v=ws.10).aspx

    http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

    Tuesday, March 05, 2013 8:52 AM
  • Am 05.03.2013 09:15, schrieb fedayn1:
    >
    > Is the WMI filter a fast option?, I tried out other times for
    > depolying applications and was an absolute nightmare, it's really slow.
    >
     
    You might have been using win32_product - the absolute no-go for WMI
    filters. Most other filters dealing with local properties are quite fast
    (~0.3 seconds or so).
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by fedayn1 Wednesday, March 06, 2013 6:51 AM
    Tuesday, March 05, 2013 9:08 PM
  • Of course, in one of my post I said "I don't like at all WMI filtering as they may be really sluggish depenging on the class."

    Thank you Razek, your post is a good starting point.

    Looking on the Internet I got to a usefull site to filter out depending on the OS

    http://jpaloma.wordpress.com/2010/11/20/using-wmi-to-filter-gpos-based-on-windows-version-and-role/

    Regards.

    Wednesday, March 06, 2013 6:54 AM