1

First things first:

Some months ago I was installing a WSUS Server on a W2k12 R2 in a domain environment and the installation was failing because a service wasn't able to logon after the Post-Installation routine. After a bit of troubleshooting and searching I found a solution on the internet where it said that I should change some settings in the Default Domain Policy which I did, here is the link for interest:

  1. WSUS roles install on Server 2012 Fails
  2. Second solution

I added the "NT SERVICE\ALL SERVICES" to "Logon as a Service" in the Default Domain Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Logon as a Service) and everything was working and the WSUS was installed successfully.

Now I noticed that the Default Domain Policy has overwritten the "Logon as a Service" setting on EVERY domain machine (Exchange, SQL Server, PC and more...), so the older settings e.g. (MSSQL$SQLEXPRESS, IIS APPPOOL.NET 4.5) where overwritten globally and didn't show up now.

To the problem:
I need to revert everything back now and I have no clue what could happen.

So my questions are:

  1. How dangerous is it to revert back to the old settings, what could possibly happen?
  2. Does every domain machine did some local backup of there previous settings?
  3. If so, does the settings automatically change to the old ones after reverting back to empty settings (default)?
  4. Is there any solution without damaging something?

Many thanks in advance.

IT-Zoo
  • 21
  • 1
  • 1
  • 2

4 Answers4

2

I know it's an old question, but the last answer/comments are wrong (at least for Windows 7 and Server 2012).

I applied a 'User Rights Assignment' to 'Log on as a Service' on the domain GPO, and noticed that the local policy does not merge with the domain policy. So on the local computer 'NT SERVICE\ALL SERVICES' was replaced by the setting from the domain policy.

I deleted/unlinked the domain policy, and the original local policy returned.

mriksman
  • 121
  • 2
0

You can't. Security settings are tatooed on the system, so whatever existed before has been overwritten (except for some systems that reside in an OU that blocks inheritance and the Default Domain Policy is not enforced/settings were defined at a lower level).

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Damn. So when I change it back to default, all workstations got a empty settings under "Logon as a Service"? This is possibly harmful, isn't it? – IT-Zoo Aug 02 '16 at 14:42
  • 2
    No, if you change it back to the default (Not Defined), nothing happens. The settings that were previously defined remain. I'm not sure where you found that information, but specifying the Windows right "Logon as a service" is almost never appropriate for the Default Domain Policy. – Greg Askew Aug 02 '16 at 14:51
  • This was one solution i've found on the internet to install the WSUS role. You seems to be a expert at this, do you maybe have some tips for me to possibly solve this? – IT-Zoo Aug 02 '16 at 15:41
0

Modifying the Default Domain policy is a bad practice. And this is an example of why.

My recommendation would be to put Default Domain policy back to the Microsoft default (which is blank I believe).

The logon as a service right is something that you want to apply as narrowly as possible (eg per machine). Otherwise, you end up granting permissions on machines that don't need it (security hole), or your break apps when services don't start.

I would create GPOs to define login as a service each of your servers that have service accounts. Use security or WMI filtering to target those GPOs to just the servers that need it.

You can determine the list of accounts that are needed by looking at the Services list on each computer (sort by account name).

Once you have the GPOs setup, run gpupdate /force on each server, then reboot it. Confirm that all services start as expected. Repeat until all your servers are done. It's painful the first time, but things are less fragile and more secure going forward.

myron-semack
  • 2,593
  • 19
  • 17
  • Thank you, I will try this! Do you know if it is necessary to have Log on as a Service on working machines? I was testing this with secpol.msc on a completely fresh installation of Windows 7 / Windows 10 and it showed me, that "NT SERVICE\ALL SERVICES" was somehow default. – IT-Zoo Aug 03 '16 at 11:59
  • It's necessary if you have an app that uses local service accounts (not needed for local system or network service). Probably the only thing that would be OK to have in the default domain GPO. – myron-semack Aug 03 '16 at 13:05
0

The best practice is to let the default policy untouched and to add as many as policies on top of it. You can define a policy over time without linking it, this way it won't be applied. When you need to deploy a policy, you can link it to a subset of test machines to test the impact.

Policies are applied in a non-destructive order: if you unlink the offending policy, you will undo the immediate effect (i.e. the settings you applied). Keep in mind that you won't be able any side effect caused by your settings.

The policies are processed and applied in order: Local Group Policy object -> Site -> Domain -> Organizational units. Policies are merged unless conflicting, in that case the precedence is Organizational units > Domain > Site > Local Group Policy. If multiple policies are applied to the same object they will be applied in the order they are listed in the GPMC, with the latter winning out.

For more information, look at technet.

Yennefer
  • 103
  • 5