none
Log on as a service

    Question

  • Good Morning,

    We have recently installed some software on one of our servers which requires one of our domain accounts to start two services associated with the software.

    The domain account is not listed under the local security policy of the server as a Log on as a service account.

    Unfortunately according to the local security policy, the log on as a service option is managed by a GPO, so we can not specify any user/s to be added/deleted.

    So we have created a separate OU, with the computer object contained within and a brand new GPO assigned to the OU, with just the Log on as a service amended with the required domain user.

    After applying the new GPO to the server, you would think all would perhaps work? Wrong!

    Running a gpresult I can see that the GPO has been "applied" to the server, however, when I view the policies on the same report, under Computer Configuration and under Local Policies/User Rights Assignment, I can see only the standard domain user from the default domain policy as the winning GPO.

    Why is this Default Domain Policy winning? I have enforced my GPO to see if that helps. It does nothing.

    I'm sure there must be any easy solution?

    Please can anyone help?

    Michael

    Monday, June 20, 2016 11:19 AM

Answers

All replies

  • Am 20.06.2016 um 13:19 schrieb Farty_Turnip:
    > Why is this Default Domain Policy winning?
     
    ... because you enforced it. Hirarchie wins.
    Enforce is a AdminTool/rule to let "higher" listed GPOs always win.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by Farty_Turnip Monday, June 20, 2016 12:46 PM
    Monday, June 20, 2016 12:27 PM
  • Thanks Mark.

    So if I create my GPO at the top of the tree, put a WMI filter on the GPO for this server, we should be onto a winner?

    Cheers

    Michael

    Monday, June 20, 2016 12:37 PM
  • Some of the things I've attempted...

    Blocked Inheritance. That does not work. Default Domain Policy still supersedes everything.

     Tried putting this GPO at the top of the domain with a WMI filter of SELECT * FROM Win32_ComputerSystem where Name='Test_Server'

    GPO again applies but it is still superseded by the Domain Default Policy. This is confirmed by looking at the Group Policy Inheritance on the OU.

    What else can I attempt to try? Apart from adding the domain user in the default domain policy.

    Thanks in advance

    Monday, June 20, 2016 1:56 PM
  • >   Tried putting this GPO at the top of the domain with a WMI filter
     
    You need to move it ahead of the Default Domain policy. By default, new
    GPOs are linked below, not above, and processing is from bottom to top -
    last writer wins... And you need to enforce your GPO too.
     
    But as a general solution, ask your IT admins why they enforce the DDP.
    That's bad practice because issues like yours are to be expected.
     --
    Greetings/Grüße, Martin -
    Mal ein gutes Buch über GPOs lesen? -
    Good or bad GPOs? My blog - http://evilgpo.blogspot.com
    And if IT bothers me? Coke bottle design refreshment -
     
    • Marked as answer by Farty_Turnip Monday, June 20, 2016 2:47 PM
    Monday, June 20, 2016 2:28 PM
  • Hi Martin,

    Many thanks for the reply.

    That worked perfectly thank you. Enforced GPO with a WMI Filter.

    Cheers

    Michael

    Monday, June 20, 2016 2:49 PM