Logon as a Service overwritten by Default Domain Policy
I know it's an old question, but the last answer/comments are wrong (at least for Windows 7 and Server 2012).
I applied a 'User Rights Assignment' to 'Log on as a Service' on the domain GPO, and noticed that the local policy does not merge with the domain policy. So on the local computer 'NT SERVICE\ALL SERVICES' was replaced by the setting from the domain policy.
I deleted/unlinked the domain policy, and the original local policy returned.
Related videos on Youtube
00 : 41
06 : 24
02 : 44
06 : 39
11 : 52
10 : 47
IT-Zoo
Updated on September 18, 2022Comments
-
IT-Zoo over 1 year
First things first:
Some months ago I was installing a WSUS Server on a W2k12 R2 in a domain environment and the installation was failing because a service wasn't able to logon after the Post-Installation routine. After a bit of troubleshooting and searching I found a solution on the internet where it said that I should change some settings in the Default Domain Policy which I did, here is the link for interest:
I added the "NT SERVICE\ALL SERVICES" to "Logon as a Service" in the Default Domain Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Logon as a Service) and everything was working and the WSUS was installed successfully.
Now I noticed that the Default Domain Policy has overwritten the "Logon as a Service" setting on EVERY domain machine (Exchange, SQL Server, PC and more...), so the older settings e.g. (MSSQL$SQLEXPRESS, IIS APPPOOL.NET 4.5) where overwritten globally and didn't show up now.
To the problem:
I need to revert everything back now and I have no clue what could happen.So my questions are:
- How dangerous is it to revert back to the old settings, what could possibly happen?
- Does every domain machine did some local backup of there previous settings?
- If so, does the settings automatically change to the old ones after reverting back to empty settings (default)?
- Is there any solution without damaging something?
Many thanks in advance.
-
IT-Zoo over 7 yearsDamn. So when I change it back to default, all workstations got a empty settings under "Logon as a Service"? This is possibly harmful, isn't it?
-
IT-Zoo over 7 yearsThis was one solution i've found on the internet to install the WSUS role. You seems to be a expert at this, do you maybe have some tips for me to possibly solve this?
-
IT-Zoo over 7 yearsThank you, I will try this! Do you know if it is necessary to have Log on as a Service on working machines? I was testing this with secpol.msc on a completely fresh installation of Windows 7 / Windows 10 and it showed me, that "NT SERVICE\ALL SERVICES" was somehow default.
-
myron-semack over 7 yearsIt's necessary if you have an app that uses local service accounts (not needed for local system or network service). Probably the only thing that would be OK to have in the default domain GPO.
