We have an application that requires us to add a domain account to the replace a process level token user right on all our servers.
It is not possible to do this via group policy because once set this overides anything that has been configured locally. IIS,SQL and some 3rd party applications add accounts to this policy when they are installed. When a GPO is configured these accounts
get removed and it just leaves LOCAL SERVICE and NETWORK plus any accounts configured in the GPO.
We can do this manually by simply running secpol.msc on a server and adding the relevant account which appends it to the list. However we need to do this for several thousand machines.
How can this be scripted / automated? We thought this might be possible using secedit but again this only replaces and does not append the list.
It looks like the default entries are LOCAL SERVICE and NETWORK SERVICE
We don't make any changes to this setting but it gets populated when you install applications on to the servers.
I can't come up with a definitive list of what accounts get put in there as it will depend on what has been installed (and there are several thousand servers) and will almost certainly be changing on a daily basis so if we applied a GPO that could potentially
Looking on a couple of machines I have seen these in the list
Acronis Agent User
Classic .NET AppPool
Playing with Secedit exporting and importing/configuring results in some error stating unable to enumerate SIDs.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.