none
GPPreferences, Local Users and Groups, Group Name drop-down options.. RRS feed

  • Question

  • Hello all --
    I'm curious about the other groups in the Group Name drop-down in GPP->Control Panel Settings->Local Users and Groups.  I've gone as far as the fifth page of search results (which is further than any sane person should go) and cannot find any mention of the other options in the drop-down (ie.- "Network (built-in)", "Batch (built-in)", "Services (built-in)", etc); the only option I've seen utilized is "Administrators (built-in)". 

    What inspires the question is the assumption that using the "Services (built-in)" group will grant the user the right to Logon as a Service, without the hassle of creating multiple GPOs per config, since the GPO setting is not cumulative. (but this is just an assumption, based on the name of the group in the drop-down).

    Do these other groups serve any purpose, or are they just remnants from the original Win2003 days when GPP was introduced? 

    Thanks


    Wednesday, October 9, 2019 5:28 PM

Answers

  • For anyone curious, I was finally able to test this, and sadly, no, adding a user to the "Service (built-in)" group via GPP does not give the user the Log on as a Service right.  I guess it's just a remnant from the old days.  

    To test, I installed the Microsoft FTP service, changed Logon As to a standard domain-user account, which auto-added the account to secpol\User Rights Assignments\Log on as a Service, which I manually removed (leaving it blank/default).  Then I deployed a GPP, adding the user to the "Service (built-in)" group (using Update).  After applying the GPP and confirming via gpresult, starting the FTP service gave the typical logon failure.  

    bummer.

    • Marked as answer by thatguy888 Tuesday, November 5, 2019 6:55 PM
    Tuesday, November 5, 2019 6:55 PM

All replies

  • According to your description, we want to know the permissions of the built-in groups in local users and groups,such as "Network (built-in)", "Batch (built-in)", "Services (built-in)".

    Based on my research,the specific description of these built-in groups is as follows:

    1.Network (built-in): This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
    Default User Rights: None

    2.Batch (built-in): Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup jobMembership is controlled by the operating system.
    Default User Rights: None

    3.Services (built-in): Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service.This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
    Default User Rights:
    Create global objects: SeCreateGlobalPrivilege
    Impersonate a client after authentication: SeImpersonatePrivilege


    More information please refer to the following article:Windows Built-in Users, Default Groups and Special Identities


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience. 


    Hope the information can be helpful and if there is anything else we can do for you, please feel free to post in the forum.


    Best regards,
    Cynthia

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, October 10, 2019 8:41 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 14, 2019 2:06 AM
  • Thank you for the link, but I'm still a bit confused.  Do the "(built-in)" groups listed in the drop-down have any relation to the User Rights Assignments?  If I add a user to the "Services (built-in)" group via GPP, does that have any relation to the Logon as a Service user right in local policy?  

    Thanks


    • Edited by thatguy888 Monday, October 14, 2019 3:41 PM fixed punctuation
    Monday, October 14, 2019 3:41 PM
  • Hello,

    According to my research, I think the "service" built-in group has the "Log on as a service" permission.

    The following picture explains the role and scope of "as a login service".



    If we want a user or group to have this privilege, they can also be assigned to them manually via GPP.


    More information please refer to the following article:
    Log on as a service


    Best regards,
    Cynthia

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 15, 2019 7:38 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 18, 2019 8:49 AM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 21, 2019 9:27 AM
  • Sorry for the delay in response, and thanks for the reply. 

    To be honest, I was hoping for a more definitive answer..  "I think the "service" built-in group has the "Log on as a service" permission" sounds like an untested interpretation. 

    I'll set up a test environment and see if it works. It just seems odd that if it were a better alternative to the GPO-route, which overwrites the existing values, that this GPP-option would show up in more search results. I have no problem testing the GPP, but if there are oddities/caveats with the solution, I was hoping to find out before going down this path.

    Thursday, October 24, 2019 10:41 PM
  • Hi

    Thank you for your update.

    Have a nice day!

    Best regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 25, 2019 2:15 AM
  • For anyone curious, I was finally able to test this, and sadly, no, adding a user to the "Service (built-in)" group via GPP does not give the user the Log on as a Service right.  I guess it's just a remnant from the old days.  

    To test, I installed the Microsoft FTP service, changed Logon As to a standard domain-user account, which auto-added the account to secpol\User Rights Assignments\Log on as a Service, which I manually removed (leaving it blank/default).  Then I deployed a GPP, adding the user to the "Service (built-in)" group (using Update).  After applying the GPP and confirming via gpresult, starting the FTP service gave the typical logon failure.  

    bummer.

    • Marked as answer by thatguy888 Tuesday, November 5, 2019 6:55 PM
    Tuesday, November 5, 2019 6:55 PM
  • Hi

    Thank you for your update.

    Thanks for your sharing the resolution in advance!

    Have a nice day!

    Best regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 6, 2019 6:17 AM