1

We have a OU design in our domain in which each "system" (web services and similar) has it's own OU, under which is nested the servers and accounts that it uses:

...
  + System A
    + Servers
      - SRV-A1
      - SRV-A2
    + ServiceAccounts
      - Svc-Foo
      - Svc-Bar
  + System B
    + Servers
      - SRV-B1
      - SRV-B2
    + ServiceAccounts
      - Svc-Baz
      - Svc-Qux

I'm trying to build a single GPO which will add "Log on as a service" on all servers in a system to all accounts under the corresponding service accounts OU. So, Svc-Foo and Svc-Bar should be able to log in as a service on SRV-A1 and SRV-A2, while Svc-Baz and Svc-Qux should be able to log in as a service on SRV-B1 and SRV-B2.

I think I should be able to do this using Item Level Targeting, but I haven't figured out how to parameterize it. Am I correct in this? And is it possible?

The domain is currently 2008R2 functional level, but we should be able to raise it to 2012R2 "quite soon", if needed.

carlpett
  • 926
  • 8
  • 18
  • 30

1 Answers1

1

I'm not sure you can achieve this - Item Level Targeting is a feature of Group Policy Preferences and, to my knowledge, there's no GPP way of assigning the "Log on as a service" rights.

If you could find an equivalent registry key, you may be able to do this but a quick Google has turned up nothing.

So, barring that, you'd need a GPO at each "System [x]" level or each "Servers" level.

Dan
  • 15,430
  • 1
  • 36
  • 67
  • I was beginning to suspect it was not possible. Unless someone has a workaround, I guess I'll have to resort to scripting them out (there are a _lot_ of these systems). Thanks, though! – carlpett Apr 08 '15 at 09:49