View
245
Download
5
Category
Preview:
Citation preview
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 1 of 14 05 October 2008
How to assign logon as a service user rights to a local system account via GPO
Some applications require special users to start the required services. For example HiPath ProCenter
is creating during the installation two user accounts hppc and Informix to start the database and the
HiPath ProCenter service or OpenScape Xpressions requires a local administrator to run the
telematic and Realspeak engine if text to speech is used. (services.msc)
Some domain administrators apply a GPO onto all the servers and or workstations to grant the logon
as a service right to special user accounts for example for backup solutions. If such a GPO is applied
the services using user accounts that are not part of this list will not start and produce an error
message in the event log.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 2 of 14 05 October 2008
To identify what users have the logon as a service access right please open the Local Security Policy.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 3 of 14 05 October 2008
In this example no GPO is assigned to control this access right.
In this example a GPO is assigned to control this access right.
You can clearly see the difference her. If the settings are controlled via GPO they cannot be adjusted.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 4 of 14 05 October 2008
How to create a GPO to allow changing this parameter.
Log onto the server on which the local system accounts are located with any Domain Admin Active
Directory account and download / install the Group Policy Management console:
http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-
dd3cbfc81887&displaylang=en
After successful installation please start it up:
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 5 of 14 05 October 2008
Expand the tree and right click WMI Filters and press New
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 6 of 14 05 October 2008
Give the filter a nice name and description and press Add
Hold on to the default Namespace and enter the Query command.
SELECT * FROM Win32_ComputerSystem where Name='hostname'
Press OK and Save.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 7 of 14 05 October 2008
Now browse to the OU containing your servers and right click the OU to create and link a new GPO
Give the GPO a proper name and OK it.
After the GPO is created right click and edit it
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 8 of 14 05 October 2008
Double click Log on as a service
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 9 of 14 05 October 2008
Check the box before define these policy settings and press Add User or Group
Press Browse to select your users.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 10 of 14 05 October 2008
Press on location to change the location from your domain to the local PC
Ensure your location is changed to the local PC enter the username that you wish to grant the access
right and press Check Names and hit OK to save the settings. Perform these steps for ALL user
accounts you wish to grand the logon as a service access right including the one that are maybe
already assigned!
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 11 of 14 05 October 2008
After all the users are added press Apply and OK to save the changes and close the group policy
editor.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 12 of 14 05 October 2008
Now apply to the newly created GPO the WMI filter we created earlier and press yes at the
information message.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 13 of 14 05 October 2008
To apply the changes please run the command
Gpupdate /force
The server will probably require a restart or at least a logoff in order to apply the changes.
Siemens Enterprise Communications Ltd Benedikt Riedel
Page 14 of 14 05 October 2008
On the next start-up the PC is applying the new settings and you can check the applied changes using
the Local Security Settings MMC
This setting is no controlled via GPO and the accounts we configured including our local
administrator are part of the users.
Recommended