[gptalk] Re: "Log on as a service" configured twice

  • From: "Cruz, Jerome L" <jerome.l.cruz@xxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 3 Apr 2008 18:21:58 -0700

Not sure I saw any replies to this.

No, these types of security settings are NOT cumulative (don't I just 'wish' 
for that capability). The last GPO to apply this security setting wins. So 
you'll have to manage specific GPOs at each set of targets. Almost all security 
and registry settings work this way. An example of cumulative behavior are 
scripts, they will all run....

When you say "site" I am assuming you meant OUs (in this case). Watch out for 
using the word "Site" when you refer to OUs. Group Polices apply at four 
distinct locations 1) Local, 2) Site, 3) Domain root, and 4) OU (and sub-ous).

Jerry

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Hendrikus Terwint (SEDIRSI-Prestataire)
Sent: Thursday, April 03, 2008 9:54 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] "Log on as a service" configured twice

Hi,

Anyone knows whether the "Log on as a service" policy is cumulative or if it 
replaces previous values if it's been configured twice (on a parent OU as well 
as on a child OU) ?

Case:

      OU=Administration
            GPO=Logon_as_service1
         OU=Site A
               GPO=Logon_as_service2
         OU=Site B
               GPO=Logon_as_service3


GPO=Logon_as_service1
Log on as a service
Value: GROUP1
Computer Configuration\Windows Settings\Local Policies\User Rights Assignment

GPO=Logon_as_service2
Log on as a service
Value: GROUP2
Computer Configuration\Windows Settings\Local Policies\User Rights Assignment

GPO=Logon_as_service3
Log on as a service
Value: GROUP3
Computer Configuration\Windows Settings\Local Policies\User Rights Assignment

Objects in Site A require GROUP2 as well as GROUP1 for registering a process as 
a service.
Objects in Site B require GROUP3 as well as GROUP1 for registering a process as 
a service.

Could GPO=Logon_as_service1 provide GROUP1 (through inheritance) to Site A and 
Site B objects, or do we have to add the value "GROUP1" to both GPOs 
Logon_as_service2 + Logon_as_service3 ?

Thanks in advance!

Hendrikus

Other related posts: