none
User Rights Assignment done in wrong place

    Question

  • I inherited an AD environment from a group of people who didn't know how to setup AD. In the default domain policy they setup in Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies/User Rights Assignment Several settings hard-coded. including "Act as part of the OS" and "log on as a batch job" Things that Service accounts and Managed Service accounts need.

    Up to this point, I have just dealt with it and manually added service accounts that needed these rights to this and then they suddenly have rights on all servers and workstations. This is becoming a problem now and I really need to fix it.

    I need to know, if I remove these settings, do all servers go back to defaults, or are they wiped out and I potentially could hose a bunch of things? And what are the default values supposed to be?

    My biggest concern is that removing even one of these, could potentially hose all 20 of my servers until I can get to them and set what it should be manually.

    How do I fix this pickle?

    Friday, December 23, 2016 6:23 PM

All replies

  • Hi,
    "Act as part of the OS":
    The Act as part of the operating system policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access.
    The Act as part of the operating system user right is extremely powerful. Users with this user right can take complete control of the computer and erase evidence of their activities
    So we should restrict the Act as part of the operating system user right to as few accounts as possible and it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which inherently includes this privilege. We would not suggest to create a separate account and assign this user right to it. The default value is not defined.
    "Log on as a batch job":
    The policy allows a user to be logged on by means of a batch-queue facility. By default, this user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. The following accounts have the privilege to be logged on as a batch job defined in the Default Domain Controller GPO:

    Please see details from:
    Act as part of the operating system https://technet.microsoft.com/en-us/library/dn221957(v=ws.11).aspx
    Log on as a batch job https://technet.microsoft.com/en-us/library/cc957131.aspx
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 26, 2016 2:49 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 29, 2016 9:23 AM
    Moderator