Designing a group policy / interaction with local group policy RRS feed

  • Question

  • Hi,

    I'm looking to design a GPO that will be applied to server 2012 member servers, specifically looking at Security Settings / User Rights at the moment.

    Within the group policy that is being applied I have the log on as a service setting set to Contoso\Test1

    How does setting this policy for example affect the ability to install IIS/SQL for example?

    If I look at RSOP on the member server it shows only Contoso\Test1 within the setting.

    If I look at local security policy on the member servers it shows Contoso\Test1 and the domain account that I used to install SQL under, all geyed out.

    I am also able to to configure IIS/SQL to use another service account.

    My understaning was that if a group policy setting was specifically being applied it would overwrite the local security / local group policy on the member server.

    In this case they seemed to be merged. You cannot directly edit the setting in local security / local group policy as they are greyed out but it looks like SQL & IIS are still able to update these settings?

    Does this mean I don't have to worry about these settings in group policy? (my concern was if i set something in a group policy) it would mean that we would not be able to install IIS/SQL etc.



    Saturday, January 5, 2013 2:38 PM


  • Nigel-

    What *should* be the case is that the domain-based GPO will indeed overwrite the local user right assignment. I'm curious about the order in which you installed IIS/SQL as it relates to that policy applying. Security policy, like user rights assignment, will refresh every 16 hours by default. It's possible, if you're a local administrator, that the domain-based policy applied, and set that user right to that one domain account, then you came along and installed IIS/SQL, which granted the other account that right. But then at some point in the future, I would expect that other account to get removed from that right. Maybe you can confirm that. What I would typically recommend here is that you create a domain-based global group that contains the service accounts that need that logon as a service right, and add that group to the domain policy. Then, if you ever need to grant a particular account that right on your member servers, you would add those accounts to that domain group (you might also choose to have multiple global groups for different server classes).



    Darren Mar-Elia MS-MVP, Group Policy
    www.sdmsoftware.com - "The Group Policy Experts"

    • Marked as answer by Andy Qi Saturday, January 12, 2013 11:41 AM
    Saturday, January 5, 2013 5:53 PM