Assign log on as a service user rights to a local system account via GPO using WMI Filters

On a couple of customer sites I had the issue that the local security policy entry Log on As A Service was controlled via GPO and our applications did not start properly because the local user account did not have the required access rights.
Attached you will find a manual I wrote to show you how to modify those entries and how to setup an WMI Filter to only apply the new GPO to the required servers to save you creating several OUs.

Download PDF

Enjoy reading.

How to assign logon as a service user rights to a local system account via GPO

Some applications require special users to start the required services. For example HiPath ProCenter is creating during the installation two user accounts hppc and Informix to start the database and the HiPath ProCenter service or OpenScape Xpressions requires a local administrator to run the telematic and Realspeak engine if text to speech is used. (services.msc)

Some domain administrators apply a GPO onto all the servers and or workstations to grant the logon as a service right to special user accounts for example for backup solutions. If such a GPO is applied the services using user accounts that are not part of this list will not start and produce an error message in the event log.

To identify what users have the logon as a service access right please open the Local Security Policy.



In this example no GPO is assigned to control this access right.

In this example a GPO is assigned to control this access right.

You can clearly see the difference her. If the settings are controlled via GPO they cannot be adjusted.

How to create a GPO to allow changing this parameter.
Log onto the server on which the local system accounts are located with any Domain Admin Active Directory account and download / install the Group Policy Management console:
http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
After successful installation please start it up:


Expand the tree and right click WMI Filters and press New

Give the filter a nice name and description and press Add

Hold on to the default Namespace and enter the Query command.

SELECT * FROM Win32_ComputerSystem where Name=’hostname’
Press OK and Save.

Now browse to the OU containing your servers and right click the OU to create and link a new GPO

Give the GPO a proper name and OK it.

After the GPO is created right click and edit it


Double click Log on as a service

Check the box before define these policy settings and press Add User or Group

Press Browse to select your users.

Press on location to change the location from your domain to the local PC

Ensure your location is changed to the local PC enter the username that you wish to grant the access right and press Check Names and hit OK to save the settings. Perform these steps for ALL user accounts you wish to grand the logon as a service access right including the one that are maybe already assigned!

After all the users are added press Apply and OK to save the changes and close the group policy editor.

Now apply to the newly created GPO the WMI filter we created earlier and press yes at the information message.

To apply the changes please run the command
Gpupdate /force

The server will probably require a restart or at least a logoff in order to apply the changes.

On the next start-up the PC is applying the new settings and you can check the applied changes using the Local Security Settings MMC

This setting is no controlled via GPO and the accounts we configured including our local administrator are part of the users.

12 comments to Assign log on as a service user rights to a local system account via GPO using WMI Filters

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Bandwidth utilization bar