I'm trying to figure out the best way to add an Active Directory account to the 'Log On as a Service' setting in local security policy without overwriting or removing the existing entries. I've only used Group Policy Object (GPO) for this before, but it tends to override all other accounts, and I don't want to lose the current settings across our servers. I found a PowerShell solution but haven't quite mastered how to deploy it en masse yet. How do you all handle this?
4 Answers
Using GPO, you can add your required accounts along with the default values that you need. Just make sure you have a GPO that already forces the default values. This way, you won't wipe everything out—really helps avoid that dreadful moment when you realize you've locked out half your service accounts!
That’s interesting, though. I’ve noticed different defaults on our servers too. We have around 200 machines, and I've spot-checked a few—turns out they all have different configurations!
Combining GPO defaults with your custom accounts works best. If you have specific machines in mind, you can use the userWorkstations option for limits. If your Active Directory setup allows, consider using gMSA (Group Managed Service Accounts) or dMSA (Dedicated Managed Service Accounts) for even better security!
And don’t forget to add the account to the deny logon interactive policy to keep everything secure!
We mostly stick with gMSA accounts. They improve security since there's no password management hassle involved. It’s a great choice if your AD is up-to-date!
Exactly! A lot of folks miss that you can just extend the defaults in the GPO instead of starting from scratch. It makes a huge difference.