Windows server log on as a service + видео обзор

Log on as a service

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting.

Reference

This policy setting determines which service accounts can register a process as a service. Running a process under a service account circumvents the need for human intervention.

This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.

Possible values

User-defined list of accounts

Best practices

Location

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Default values

By default this setting is Network Service on domain controllers and Network Service on stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.

Server type or GPO

Default Domain Policy

Default Domain Controller Policy

Stand-Alone Server Default Settings

Domain Controller Effective Default Settings

Member Server Effective Default Settings

Client Computer Effective Default Settings

Operating system version differences

There are no differences in the way this policy setting works between the supported versions of Windows that are designated in the Applies To list at the beginning of this topic.

The default changed in Windows ServerВ 2008В R2 and WindowsВ 7 from Not defined in that only the Network Service account has this right by default. Any service that runs under a separate user account must be assigned this user right.

Policy management

This section describes features, tools, and guidance to help you manage this policy.

A restart of the computer is not required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy

The policy setting Deny logon as a service supersedes this policy setting if a user account is subject to both policies.

Group Policy settings are applied in the following order, which will overwrite settings on the local computer at the next Group Policy update:

Local policy settings

Site policy settings

Domain policy settings

OU policy settings

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

The Log on as a service user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account.

Countermeasure

By definition, the Network Service account has the Log on as a service user right. This right is not granted through the Group Policy setting. You should minimize the number of other accounts that are granted this user right.

Источник

Enable Service Logon

Security best practice is to disable interactive and remote interactive sessions for service accounts. Security teams, across organizations have strict controls to enforce this best practice to prevent credential theft, and associated attacks.

You must provide service log on permission to the following accounts that are used by SM management server and data warehouse management server.

Service Manager Services Account: This account is used for System Center Data Access Service and System Center Management Configuration service.

With SM 2019, this account requires service logon permission.

Service Manager Workflow account This account is used to run the MonitoringHost.exe process (runs all the Workflows). With SM 2019, this account requires service logon permission.

We recommend that you provide service logon permission to the accounts used by various SM connectors (AD, OM, SCO, CM, VMM, exchange connectors). Service reporting account and analysis services accounts don’t require service log on permission.

How to enable service log on

You can grant service log on permission through a domain policy or a local group policy.

To enable using domain policy, contact your administrators. To use local group policy, see the section on [enable service through a local group policy](#enable-service-log-on-through-a-local-group policy)

Identify the accounts that need service Log on permission

If required accounts aren’t provided with service log on permission, then monitoringhost.exe doesn’t run under those accounts. Which means, some of the workflows such as SLA/SLO wouldn’t run. In such case, the following error event is logged in the Operations Manager event log:

The Health Service could not log on the RunAs account XXXXXXX for management group XXXX because it has not been granted the *Log on as a service

Here is a sample error:

Enable service log on through a local group policy

Follow these steps:

Sign in with administrator privileges to the computer from which you want to provide Log on as Service permission to accounts.

Go to Administrative Tools, click Local Security Policy.

Expand Local Policy, click User Rights Assignment. In the right pane, right-click Log on as a service and select Properties.

Click Add User or Group option to add the new user.

In the Select Users or Groups dialogue, find the user you wish to add and click OK.

Click OK in the Log on as a service Properties to save the changes.

Change logon type from a default value

With SM 2019, default logon type is Service log on. After new installation of SM 2019 or an upgrade, logon type will be Service log on, by default.

You can change the default log on type by using the following steps:

Sign in as with administrator to the computer from which you want to provide Log on as Service permission to accounts.

Under Computer Configuration, expand Administrative Templates.

Click System Center – Operations Manager.

Right click Monitoring Action Account Logon Type, click Edit, select Enabled.

Choose Logon Type from the drop-down menu.

Источник

Включить вход в службу Enable Service Logon

По соображениям безопасности рекомендуется отключить интерактивные и удаленные сеансы для учетных записей служб. Security best practice is to disable interactive and remote interactive sessions for service accounts. Группы безопасности в разных организациях имеют строгие элементы управления для реализации этой рекомендации, чтобы предотвратить кражу учетных данных и связанные атаки. Security teams, across organizations have strict controls to enforce this best practice to prevent credential theft, and associated attacks.

Необходимо предоставить разрешение на вход в службу для следующих учетных записей, которые используются сервером управления SM и сервером управления хранилища данных. You must provide service log on permission to the following accounts that are used by SM management server and data warehouse management server.

Учетная запись служб Service Manager. Эта учетная запись используется для службы доступа к данным System Center и службы настройки управления System Center. Service Manager Services Account: This account is used for System Center Data Access Service and System Center Management Configuration service.

В SM 2019 для этой учетной записи требуется разрешение на вход в службу. With SM 2019, this account requires service logon permission.

Учетная запись рабочего процесса Service Manager Эта учетная запись используется для запуска MonitoringHost.exe процесса (запуска всех рабочих процессов). Service Manager Workflow account This account is used to run the MonitoringHost.exe process (runs all the Workflows). В SM 2019 для этой учетной записи требуется разрешение на вход в службу. With SM 2019, this account requires service logon permission.

Рекомендуется предоставить разрешение на вход в систему для учетных записей, используемых различными соединителями SM (AD, OM, SCO, CM, VMM, соединители Exchange). We recommend that you provide service logon permission to the accounts used by various SM connectors (AD, OM, SCO, CM, VMM, exchange connectors). Учетной записи Service Reporting и учетным записям служб Analysis Services не требуется разрешение на вход в службу. Service reporting account and analysis services accounts don’t require service log on permission.

Включение входа в службу How to enable service log on

Разрешение на вход в службу можно предоставить с помощью политики домена или локальной групповой политики. You can grant service log on permission through a domain policy or a local group policy.

Указание учетных записей, которым требуется разрешение на вход в службу Identify the accounts that need service Log on permission

Если необходимые учетные записи не предоставляются при наличии разрешения на вход в службу, monitoringhost.exe не выполняется с этими учетными записями. If required accounts aren’t provided with service log on permission, then monitoringhost.exe doesn’t run under those accounts. Это означает, что некоторые рабочие процессы, такие как соглашение об уровне обслуживания или цель уровня обслуживания, не выполняются. Which means, some of the workflows such as SLA/SLO wouldn’t run. В этом случае в журнале событий Operations Manager регистрируется следующее событие ошибки: In such case, the following error event is logged in the Operations Manager event log:

Служба работоспособности не удалось выполнить вход в учетную запись запуска от имени XXXXXXX для группы управления XXXX, так как ей не предоставлено разрешение * Вход в качестве службы. The Health Service could not log on the RunAs account XXXXXXX for management group XXXX because it has not been granted the *Log on as a service

Ниже приведен пример ошибки. Here is a sample error:

Включение службы для входа в систему через локальную групповую политику Enable service log on through a local group policy

Выполните следующие действия. Follow these steps:

Войдите с правами администратора на компьютер, с которого необходимо предоставить разрешение Вход в качестве службы для учетных записей. Sign in with administrator privileges to the computer from which you want to provide Log on as Service permission to accounts.

Перейдите в меню Администрирование и выберите пункт Локальная политика безопасности. Go to Administrative Tools, click Local Security Policy.

Разверните узел Локальная политика, щелкните Назначение прав пользователя. Expand Local Policy, click User Rights Assignment. В области справа щелкните право Вход в качестве службы правой кнопкой мыши и в контекстном меню выберите Свойства. In the right pane, right-click Log on as a service and select Properties.

Нажмите кнопку » Добавить пользователя или группу «, чтобы добавить нового пользователя. Click Add User or Group option to add the new user.

В диалоговом окне Выбор пользователей или групп найдите пользователя, которого хотите добавить, и нажмите кнопку ОК. In the Select Users or Groups dialogue, find the user you wish to add and click OK.

В области свойств права Вход в качестве службы нажмите кнопку ОК, чтобы сохранить изменения. Click OK in the Log on as a service Properties to save the changes.

Изменить тип входа со значения по умолчанию Change logon type from a default value

При использовании SM 2019 тип входа по умолчанию — Service log on. With SM 2019, default logon type is Service log on. После установки новой версии SM 2019 или обновления тип входа в систему будет включен по умолчанию. After new installation of SM 2019 or an upgrade, logon type will be Service log on, by default.

Вы можете изменить тип входа по умолчанию, выполнив следующие действия. You can change the default log on type by using the following steps:

Войдите с правами администратора на компьютер, с которого необходимо предоставить разрешение Вход в качестве службы для учетных записей. Sign in as with administrator to the computer from which you want to provide Log on as Service permission to accounts.

Запуск gpedit. msc Run gpedit.msc

В разделе Конфигурация компьютера разверните узел Административные шаблоны. Under Computer Configuration, expand Administrative Templates.

Щелкните System Center — Operations Manager. Click System Center – Operations Manager.

Щелкните правой кнопкой мыши тип входа учетная запись действия мониторинг, выберите изменить, включено. Right click Monitoring Action Account Logon Type, click Edit, select Enabled.

Источник

Windows server log on as a service

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Windows server log on as a service

Answered by:

Windows server log on as a service

Question

Windows server log on as a service

Windows server log on as a service

I am almost finished with the exhaustive summer task of transitioning a Server 2003 network with four servers, SQL 2005, and Exchange 2003 to Server 2012, Exchange 2013 and 2014. There’s been no end of undocumented bugs and glitches along the way. However, it seems that Microsoft has saved the best for last.

The final task is getting WSUS set up. As per usual, what should have been a straightforward role installation has run into an undocumented brick wall that was inevitable. (If it happens on a fresh install of Server 2012, you KNOW that they didn’t beta-test it.)

I found a third party description of the EXACT problem that I’m having, along with the solution:

The solution is to add the «log on as a service» right to NT SERVICE\ALL SERVICES in the group policy management console. The author provides nice illustrations of the steps to take.

Here’s where my frustrations really peak. This is HIS Server 2012 (not R2) group policy management console:

And this is MY Server 2012 group policy management console:

Answers

Windows server log on as a service

Windows server log on as a service

You are currently on the Group Policy Management Console, you will have to open Group Policy Management Editor to edit/configure a policy setting.

As mentioned by Joey above, you just right click on the GPO you’d like to edit, then select «Edit».

Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

Windows server log on as a service

Windows server log on as a service

In the left pane, right click the GPO you want to edit and select edit. Drill down to Computer Configuration>Windows Settings>Security Settings>Local Polices>User Rights Assignment. You find Log on as a service in the right pane.

Windows server log on as a service

Windows server log on as a service

I talked to Microsoft Technical Support, and found out what the problem was. I was trying to install it on a domain controller, and that’s a no-no.

You’d almost think that they’d make it IMPOSSIBLE to ATTEMPT to install it on a domain controller with a warning message, and avoid the white papers, user frustration and service calls, but that would take an extra 10 minutes of programming.

All replies

Windows server log on as a service

Windows server log on as a service

Windows server log on as a service

Windows server log on as a service

The question is where DO you define the settings for log on as a service in the group policy management console I have to work with.

Windows server log on as a service

Windows server log on as a service

In the left pane, right click the GPO you want to edit and select edit. Drill down to Computer Configuration>Windows Settings>Security Settings>Local Polices>User Rights Assignment. You find Log on as a service in the right pane.

Windows server log on as a service

Windows server log on as a service

You are currently on the Group Policy Management Console, you will have to open Group Policy Management Editor to edit/configure a policy setting.

As mentioned by Joey above, you just right click on the GPO you’d like to edit, then select «Edit».

Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

Windows server log on as a service

Windows server log on as a service

Thanks. I had gotten to this point by using the group policy snap-in for MMC, but it’s nice to know that server manager allows complete access.

Windows server log on as a service

Windows server log on as a service

I talked to Microsoft Technical Support, and found out what the problem was. I was trying to install it on a domain controller, and that’s a no-no.

You’d almost think that they’d make it IMPOSSIBLE to ATTEMPT to install it on a domain controller with a warning message, and avoid the white papers, user frustration and service calls, but that would take an extra 10 minutes of programming.

Windows server log on as a service

Windows server log on as a service

Damned it. Thanks! This was the answer I was looking for. Create the GPO modification on the computer with those accounts on the local machine. Initially I thought that kind of fat fingering would end up with servername\iis apppool * to the GPO. But nope, it keeps the names all proper. Thanks! Aggravating.

Windows server log on as a service

Windows server log on as a service

Ok, I’ve solved this the following way. None of the information above was true for me. You couldn’t add local groups, you couldn’t just not hit «browse», nothing worked. This way worked 100% as expected, and I hope someone marks it as the answer. The not doing it on a Domain controller actually did have the problem I expected that you get this long SID that’s only recognized on the servers where it is the same exact SID, which I haven’t found one that worked that way in a SharePoint farm.

The Solution is two fold.

1. You must go to the Computer’s Policy «Preference» tab, scroll down to Local Users and Groups, and Add a group, I left no spaces out of habit, but I took «LogonAsaService» and created it as an empty group, with UPDATE as the action (Not replace, or remove).

2. Go to the Local Rights assignment area, and find the ‘Log on as a Service’ right, and add ‘LogonAsaService», and click OK.

Then do a GPUPDate /Force on a computer receiving that policy, you will find that the group is now given the permissions in the Local Rights Assignment area, the group now appears as an empty group in Local Users and Groups, AND you can edit that group locally as it’s not overriding the local accounts already in there.

Источник

How do I configure a user account to have ‘logon as a service’ permissions?

This is for CRM application use and need to enable permission via GPO

Microsoft TechNet Forum Bandara

Answers

Windows server log on as a service

Windows server log on as a service

It seems that you know the group policy “Log on as a service” can achieve your goal, so I would like to confirm what do you want to ask?

If you do not know the path of the group policy “Log on as a service” in domain, you may expend Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service in GPMC.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

All replies

Windows server log on as a service

Windows server log on as a service

And I know how to do it in local GPO
When installing a service to run under a domain user account, the account must have the right to logon as a service on the local machine. This logon right strictly applies only to the local computer and must be granted in the Local Security Policy.

Perform the following to edit the Local Security Policy of the computer you want to define the ‘logon as a service’ permission:

1.Logon to the computer with administrative privileges.
2.Open the ‘Administrative Tools’ and open the ‘Local Security Policy’
3.Expand ‘Local Policy’ and click on ‘User Rights Assignment’
4.In the right pane, right-click ‘Log on as a service’ and select properties.
5.Click on the ‘Add User or Group…’ button to add the new user.
6.In the ‘Select Users or Groups’ dialogue, find the user you wish to enter and click ‘OK’
7.Click ‘OK’ in the ‘Log on as a service Properties’ to save changes.
Notes:

•Ensure that the user which you have added above is not listed in the ‘Deny log on as a service’ policy in the Local Security Policy.

Microsoft TechNet Forum Bandara

Windows server log on as a service

Windows server log on as a service

It seems that you know the group policy “Log on as a service” can achieve your goal, so I would like to confirm what do you want to ask?

If you do not know the path of the group policy “Log on as a service” in domain, you may expend Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service in GPMC.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Windows server log on as a service

Windows server log on as a service

How useless is that?

Once more into the breach, dear friends.

Windows server log on as a service

Windows server log on as a service

Has anyone found a solution for the above yet?

Windows server log on as a service

Windows server log on as a service

How useless is that?

Once more into the breach, dear friends.

Ditto, corndog. I would like to simply «append» a few users or groups to this right. but I cannot find anything. The only other way to give my user the same level of privileges (and unfortunately a whole bunch more) is with domain admin. 🙁

Windows server log on as a service

Windows server log on as a service

Windows server log on as a service

Windows server log on as a service

Thanks for your response. Unfortunately, I am trying to avoid adding service (user) accounts to Domain Admins just to give them full access to machine, which happens to include logon as a service.

When I Generate RSOP data for my machine, there are no groups explicitly defined via GPO with the «Log on as a service» right. However, when I look in the Local Security Policy there are a number of local/virtual accounts listed («NT SERVICE\ALL SERVICES», «NT VIRTUAL MACHINE\Virtual Machines, etc»). Therefore, I must assume that the only AD groups with this permission are builtin privileged groups which we should be avoided like the plague.

Is there absolutely no way to grant a user or group rights to «logon as a service» to a select number of machines, say, a group of web servers or SQL servers, and not OVERWRITE the default accounts and groups that those machines might natively grant this right to?

If not, the only remedy for this user (it happens to be the authentication credential for Languard 2015) is to add it to the Domain Admins group, then use GPO to DENY every OTHER right available, to get the same results that myself and so many other users are attempting to achieve.

FYI, the Languard Support documentation provides that this right should be granted via GPO, which we learned the hard way, will OVERWRITE all existing users/groups with the right to logon as a service. Every other service running crashed hard. but Languard worked great. 😉

Источник

Видео

Event Viewer & Windows Logs

Event Viewer & Windows Logs

MCITP 70-640: Service Accounts

MCITP 70-640: Service Accounts

Сервер обновлений на Windows Server 2019 (Windows Server Update Services on Windows Server 2019)

Сервер обновлений на Windows Server 2019 (Windows Server Update Services on Windows Server 2019)

Windows Services + Logs + Event Viewer + Setup Project

Windows Services + Logs + Event Viewer + Setup Project

Windows 7 User Profile Service Failed Logon FIX

Windows 7 User Profile Service Failed Logon FIX

There are currently no logon servers available to service the logon request

There are currently no logon servers available to service the logon request

How To Use The Windows Event Viewer For Cyber Security Audit

How To Use The Windows Event Viewer For Cyber Security Audit

[Windows Server 2012 basics] Урок 13 - Remote Desktop Services (Terminal Server)

[Windows Server 2012 basics] Урок 13 - Remote Desktop Services (Terminal Server)

How to monitor server performance and activity on Windows Server 2012 R2 (Explained)

How to monitor server performance and activity on Windows Server 2012 R2 (Explained)

MCITP 70-640: Active Directory Windows Auditing

MCITP 70-640: Active Directory Windows Auditing
Поделиться или сохранить к себе:
Добавить комментарий

Нажимая на кнопку "Отправить комментарий", я даю согласие на обработку персональных данных, принимаю Политику конфиденциальности и условия Пользовательского соглашения.