none
Log On As A Service GPO

    Question

  • So its a best practice to use a domain account for services .... ie backup software, SQL, exchange etc.

    And if you have a service account that needs to hit the majority of computers in the network then you would use a group policy.

    Problem that I have... is that when you use a group policy to add "Log on as a service" - then you cant add one to a server that only that server needs.  If I have one service account user that needs Log on as a Service on only one computer - I cant add it locally... and if I want to use a GPO - I would have to create a separate GPO and filter it to that one computer.

    This doesn't make sense to me and feels limited.  Is there a policy that I can use for "Log on as a service" that can use item level targeting, and I can add multiple etc...

    Any thoughts on how you have managed this would be helpful.  I like using the GPO for obvious reasons, but I don't want to grant "Log on as a service" for the account that really only needs to have that right on one server.

    In my example - I created a managed service account for SQL 2014.  I only need that service account added to the SQL 2014 Server - no all servers in the domain.

    Thanks
    John

    Alternatively - It would be nice if it was like Firewall rules..  I can create a GPO for the domain wide needs, and then add some locally as needed.  If you use a GPO to manage this, then the local GPEDIT.msc option is greyed out and you cant add them locally...

    • Edited by dolejh Friday, April 22, 2016 4:16 PM
    Friday, April 22, 2016 4:14 PM

Answers

  • Hi,

    Please refer to the below steps:

    1. Use GP Preferences to deploy/create a Local security group named "ServiceAccounts".
    2. Use Group Policy to assign the "Log on as a Service" user right to the default users/groups and the group ".\ServiceAccounts".
    3. Use GP Preferences to add a domain user to the local group "ServiceAccounts"; you would have to use Item Level Targeting to ensure that the appropriate accounts were added for the appropriate servers.
    4. Use GP Preferences (could be the same policy) to add a local user to the local group "ServiceAccounts" on the server that needs that service; use Item Level Targeting to ensure this only affects the appropriate computer.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by dolejh Wednesday, April 27, 2016 1:58 PM
    Monday, April 25, 2016 7:34 AM
    Moderator

All replies

  • Hi, dolejh. Using DC account for services is not a best practice. Best practice is just enough administration (permissions). Looks like you're mixing definitions and methods to use them. If you like GPO-OU method, create OUs and place servers and GPOs accordingly.

    On another side, you should try to use a mixture of AD Groups, OU, GPO and GPO preferences to minimize impact of granting too much access for admin tasks you're trying to accomplish. 

    Friday, April 22, 2016 10:05 PM
  • Hi,

    Please refer to the below steps:

    1. Use GP Preferences to deploy/create a Local security group named "ServiceAccounts".
    2. Use Group Policy to assign the "Log on as a Service" user right to the default users/groups and the group ".\ServiceAccounts".
    3. Use GP Preferences to add a domain user to the local group "ServiceAccounts"; you would have to use Item Level Targeting to ensure that the appropriate accounts were added for the appropriate servers.
    4. Use GP Preferences (could be the same policy) to add a local user to the local group "ServiceAccounts" on the server that needs that service; use Item Level Targeting to ensure this only affects the appropriate computer.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by dolejh Wednesday, April 27, 2016 1:58 PM
    Monday, April 25, 2016 7:34 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 27, 2016 8:57 AM
    Moderator
  • Love this idea - great logic!
    Wednesday, April 27, 2016 1:58 PM
  • Did find a couple issues -

    1. Use GP Preferences to deploy/create a Local security group named "ServiceAccounts".

         No issues

    2. Use Group Policy to assign the "Log on as a Service" user right to the default users/groups and the group ".\ServiceAccounts".

          GPO wont allow me to use ".\"  - I know this denotes "local" account but the GPO wont allow it.  Error - "The following accounts not not be validated: .\ServiceAccounts.  Add just ServiceAccounts instead - not sure if it will see this as a local group or not yet.

    3. Use GP Preferences to add a domain user to the local group "ServiceAccounts"; you would have to use Item Level Targeting to ensure that the appropriate accounts were added for the appropriate servers.

          This is one I am not sure how to go about...  we use managed service accounts.  it does not have the filter option to search for "service accounts" on the GPO preference - just users, groups, computers.

    4. Use GP Preferences (could be the same policy) to add a local user to the local group "ServiceAccounts" on the server that needs that service; use Item Level Targeting to ensure this only affects the appropriate computer.

    Assuming this is the same step as 3 - just if it is a local account.

    Thanks

    John

    Wednesday, April 27, 2016 2:21 PM
  • > Add just ServiceAccounts instead -
    > not sure if it will see this as a local group or not yet.
     
    Yes it will. We implemented the method Alvin presented almost 1,5 years
    ago and it works flawlessly.
     
    If Google translates well enough:
     
    >        This is one I am not sure how to go about...  we use managed
    > service accounts.  it does not have the filter option to search for
    > "service accounts" on the GPO preference - just users, groups, computers.
     
    It probably does not work with MSAs. An MSA is bound to the computer it
    is used by, AFAIK. And it should implicitly have the seLogonService
    privilege. But that is beyond my experience, we do not use them at the
    moment :()
     
    Wednesday, April 27, 2016 3:34 PM
  • Works great - thanks!

    Think I will do this with log on as a batch as well.

    Monday, May 16, 2016 7:10 PM