[gptalk] Re: GP for IIS and SQL

  • From: "Blackshaw, Dave" <Dave.Blackshaw@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 17 Apr 2007 09:30:50 +0100

Ranjan,

 

As LP says (without mentioning it), you need a domain account under which to 
run the SQL service.  You can then grant this “local administrator rights” 
using the batch file provided below.

 

However, the domain SQL service account will also require the following rights 
on each SQL server which can be achieved through GPO:

 

Act as part of the operating system (SeTcbPrivilege)

Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege)

Lock pages in memory (SeLockMemoryPrivilege)

Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)

 

You’ll also need to enable the following services to run, if you’re restricting 
services:

 

MSSQLSERVER
MSSQLServerADHelper
SQLSERVERAGENT

 

For IIS, it’s a little more complicated due to the machine-specific “IUSR_xxxx” 
and “IWAM_xxxx” user accounts.  To get around this, each IIS server should have 
two local groups defined on it, e.g. “Local-IUSR” and “Local-IWAM”, which 
contain just these accounts, respectively.  You can then use these groups 
(without the machine-specific reference) in any GPO.  Assigning rights and 
nesting groups using a “restricted group” policy allows free-form text entry. 

 

Local-IWAM will require these rights:

 

Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege)

Log on as a batch job (SeBatchLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)

 

Local-IUSR needs to be moved out of the local Guests group and will require:

 

Allow log on locally [Log on locally] (SeInteractiveLogonRight)

Log on as a batch job (SeBatchLogonRight)

 

You’ll need to allow the local group IIS_WPG:

 

Log on as a batch job (SeBatchLogonRight)

 

And ASPNET will need:

 

Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)

 

Hope that makes sense to all.

 

Dave

Directory & Messaging Services

Int:   824432

Ext:  (01784) 874432

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Linux'o Mania
Sent: 17 April 2007 08:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP for IIS and SQL

 

Use a batch file with following contents & put it in Computer Startup Script 
section of GPO...

net localgroup Administrators /add <domain\ID>

 

replace <domain\ID> with your domain's NETBIOS name & domain account or group...

 

Regds,

LP



"Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx> wrote:

        Hi,
        
        
        
        One of my customer having Multiple server running IIS and SQL under IIS 
and SQL OU .While applying /edit group policy i have to select manually and add 
Administrators for each 
        
        server.
        
        
        
        HOW to resolve the below issue.
        
        
        
        
        
        
        
        1. For ex: If i want to add sqladmin for a policy i have to add 
        
        server1\sqladmin, server2\sqladmin ....
        
        
        
        Instead adding all server names, any shortcut method 
        
        Available to add in single line .
        
        
        
        What happening in our case if io add user “server1\sqladmin” in 
group policy .it applying same user in all server. which will creating problem.
        
        
        
        Note:we have created similar name( sqladmin) user for this purpose .
        
        
        
        
        
        2.In domain server does not have IIS and SQL server installed .If i 
want create \edit a 
        
        Group policy for IIS and SQL server OU, Which is best option to edit 
Group 
        
        policy edit from domain server GPMC or from other IIS /SQL ?.
        
        
        
        we are facing to add file security c:\program files \MS SQL form domain 
GPMC .it not allowing to add due to path ( SQL SERVER ) not available in that 
server.
        
        
        
        3.If i create system variable e:. %BACKUP% that gives the path to my 
one of 
        
        my backup directories. 
        
        
        
        If i add this directory %BACKUP% in files system security in group 
policy 
        
        Level, whether all server refer the same path what we given in system 
variable and 
        
        Apply their security setting give for the folder (%BACKUP%)
        
        
        
        Thanks and Regards,
        
        Ranjan
        
        -----Original Message----- 
        From: FreeLists Mailing List Manager [mailto:ecartis@xxxxxxxxxxxxx] 
        Sent: Tue 4/17/2007 1:05 PM 
        To: Ranjan Babu .G 
        Cc: 
        Subject: Welcome to list 'gptalk'
        
        
        
        Welcome to the GPOGUY.COM gptalk mailing list! The purpose of this list 
is to ask (and answer) questions regarding Windows Group Policy. This list was 
created in conjunction with the gpoguy.com website.
        
        To send a message to the list, send email to: gptalk@xxxxxxxxxxxxx
        
        The list archive is at http://www.freelists.org/archives/gptalk
        
        General list information is at http://www.freelists.org/list/gptalk
        
        To unsubscribe send email to gptalk-request@xxxxxxxxxxxxx with a 
subject of 'unsubscribe'
        
        We ask that you maintain proper list etiquette when asking and 
answering questions. This includes, but is not limited to:
        
        - Ask only questions that are relevant to Window Group Policy
        - Start a new list thread when you have a different question than in 
the original post
        - Be polite!
        - No advertising or shameless promotion of commercial products on the 
list. Its ok to mention products if its relevant to a question or if have 
product stuff in your email signature, but don't create a new post simply for 
the purposes of pitching a product
        - Did I mention that politeness is key? We reserve the right to boot 
anyone off the list is repeatedly mis-behaving
        - Finally, please set your list membership on vacation mode when you 
are out of the office and do not send OOF messages to the list.
        
        Thanks and again, Welcome!
        
        Darren (aka GPOGUY)
        
        
        
        
        
        b‹œj{§²æìr¸›yúèš
        mjYÊǧv)àzf¢–Ú ¦Ö¥’·ª¹ë-~·ž–+-²ŠàÂ+aº{.nÇ+‰·¢žØ^JæãyË_‰é]9ò–ˆ 
Šx"žÚ-…çëyéb²Û(®žn)íz·Úqà+r¯zÇè®Ø^–+-j·š½¨¥i¹^jØm¶Ÿÿà ­­ç¥ŠËl¢¸?j·!Š÷¬þ
        mjY?

 

  

________________________________

Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now 
<http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU>
 .


_____________________________________________________________________
The information contained in or attached to this email is intended only for the 
use of the individual or entity to which it is addressed. If you are not the 
intended recipient, or a person responsible for delivering it to the intended 
recipient, you are not authorised to and must not disclose, copy, distribute, 
or retain this message or any part of it. It may contain information which is 
confidential and/or covered by legal professional or other privilege (or other 
rules or laws with similar effect in jurisdictions outside England and Wales).
The views expressed in this email are not necessarily the views of Centrica 
plc, and the company, its directors, officers or employees make no 
representation or accept any liability for its accuracy or completeness unless 
expressly stated to the contrary.

Centrica plc

Registered office: Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD

Registered in England and Wales No 3033654

Other related posts: