How to assign logon as a service user rights to a local...

Siemens Enterprise Communications Ltd Benedikt Riedel

of 14 05 October 2008

How to assign logon as a service user rights to a local system account via GPO

Some applications require special users to start the required services. For example HiPath ProCenter

is creating during the installation two user accounts hppc and Informix to start the database and the

HiPath ProCenter service or OpenScape Xpressions requires a local administrator to run the

telematic and Realspeak engine if text to speech is used. (services.msc)

Some domain administrators apply a GPO onto all the servers and or workstations to grant the logon

as a service right to special user accounts for example for backup solutions. If such a GPO is applied

the services using user accounts that are not part of this list will not start and produce an error

message in the event log.



To identify what users have the logon as a service access right please open the Local Security Policy.



In this example no GPO is assigned to control this access right.

In this example a GPO is assigned to control this access right.

You can clearly see the difference her. If the settings are controlled via GPO they cannot be adjusted.



How to create a GPO to allow changing this parameter.

Log onto the server on which the local system accounts are located with any Domain Admin Active

Directory account and download / install the Group Policy Management console:

http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-

dd3cbfc81887&displaylang=en

After successful installation please start it up:

http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en



Expand the tree and right click WMI Filters and press New



Give the filter a nice name and description and press Add

Hold on to the default Namespace and enter the Query command.

SELECT * FROM Win32_ComputerSystem where Name='hostname'

Press OK and Save.



Now browse to the OU containing your servers and right click the OU to create and link a new GPO

Give the GPO a proper name and OK it.

After the GPO is created right click and edit it



Double click Log on as a service



Check the box before define these policy settings and press Add User or Group

Press Browse to select your users.



Press on location to change the location from your domain to the local PC

Ensure your location is changed to the local PC enter the username that you wish to grant the access

right and press Check Names and hit OK to save the settings. Perform these steps for ALL user

accounts you wish to grand the logon as a service access right including the one that are maybe

already assigned!



After all the users are added press Apply and OK to save the changes and close the group policy

editor.



Now apply to the newly created GPO the WMI filter we created earlier and press yes at the

information message.



To apply the changes please run the command

Gpupdate /force

The server will probably require a restart or at least a logoff in order to apply the changes.



On the next start-up the PC is applying the new settings and you can check the applied changes using

the Local Security Settings MMC

This setting is no controlled via GPO and the accounts we configured including our local

administrator are part of the users.

How to assign logon as a service user rights to a local...

Documents

Transcript of How to assign logon as a service user rights to a local...