none
Can multiple GPOs set Logon As service?

    Question

  • So I have two applications that have domain accounts (cannot be AD service accounts). I want to set each of them to have logon as service. 

    I created a policy that sets all the application requirements for application A. Firewall ports, granting logon as service rights, etc.. I apply this to the Security group that contains the servers that this application runs on. Everything seems to be set right and the application is humming along fine.

    I created another policy for Application B. All I'm doing in this policy is setting the logon as service rights to the account I plan on using to run it. But the logon as service rights are not being granted to B's account. 

    When I do a gpresult I see the B policy in the applied section, with the correct Version. When I go into the Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment section I see that the logon as a service setting being the one from policy A, and it is listed as the winning GPO. If I change the link order so that B has a higher precedence than A, Then B is the winning policy.

    It seems like logon as a service can only be set by one GPO. Is there a way to have these merge settings so I can maintain one GPO per application, and not breakout the logon as service rights? I can see this becoming a problem in the future.

    Wednesday, December 16, 2015 2:22 PM

Answers

  • > It seems like logon as a service can only be set by one GPO.
     
    Yes.
     
    > Is there a
    > way to have these merge settings so I can maintain one GPO per
    > application, and not breakout the logon as service rights? I can see
    > this becoming a problem in the future.
     
    Yes.
     
    Grant the "Logon as Service" to Administrators, System, Service, Network
    Service, Local Service and "MyServices". Do not select this last group
    through the browse button "...", but simply type the name in.
     
    Then, via Group Policy Preferences Local Users and Groups, create this
    group and add members to your like. This addition will be cumulative as
    long as you do not enable "delete all members". And in combination with
    Item Level Targeting, you can use only one GPO but add different members
    based on whatever criteria you like. Or you can use one GPO per service
    account and add it to the group.
     
    Only thing to remember: Since most services will start before GPOs are
    processed, this works perfectly on the second reboot of a server.
     
    Wednesday, December 16, 2015 3:43 PM

All replies

  • You can look at Log on as a service and others like it as 'One' setting/all together.  There is no merge that I am aware of, but would be nice.   Therefore you need to establish precedence as you stated.  One way is to move the servers to different OU's and place the policy on that OU. 
    Wednesday, December 16, 2015 3:11 PM
  • > It seems like logon as a service can only be set by one GPO.
     
    Yes.
     
    > Is there a
    > way to have these merge settings so I can maintain one GPO per
    > application, and not breakout the logon as service rights? I can see
    > this becoming a problem in the future.
     
    Yes.
     
    Grant the "Logon as Service" to Administrators, System, Service, Network
    Service, Local Service and "MyServices". Do not select this last group
    through the browse button "...", but simply type the name in.
     
    Then, via Group Policy Preferences Local Users and Groups, create this
    group and add members to your like. This addition will be cumulative as
    long as you do not enable "delete all members". And in combination with
    Item Level Targeting, you can use only one GPO but add different members
    based on whatever criteria you like. Or you can use one GPO per service
    account and add it to the group.
     
    Only thing to remember: Since most services will start before GPOs are
    processed, this works perfectly on the second reboot of a server.
     
    Wednesday, December 16, 2015 3:43 PM
  • Hi Chris Bujak,

    Any updates?

    If you have any other information related to the issue. Please feel free to contact us.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 11, 2016 4:18 AM
    Moderator