[gptalk] Re: "Log on as a service" configured twice

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 3 Apr 2008 22:02:38 -0700

Thanks for replying Jerry! I missed this post in the slew of emails in my
inbox this morning. The other "cumulative" policies includes any of the
Listbox Additive settings under Admin. templates, such as Windows Firewall
exceptions and site-to-zone assignment. But definitely not security, sadly.
Well,  I think software restriction policy might be if I remember correctly
but that would be the only one under Sec. Settings.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Cruz, Jerome L
Sent: Thursday, April 03, 2008 6:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Log on as a service" configured twice

 

Not sure I saw any replies to this.

 

No, these types of security settings are NOT cumulative (don't I just 'wish'
for that capability). The last GPO to apply this security setting wins. So
you'll have to manage specific GPOs at each set of targets. Almost all
security and registry settings work this way. An example of cumulative
behavior are scripts, they will all run..

 

When you say "site" I am assuming you meant OUs (in this case). Watch out
for using the word "Site" when you refer to OUs. Group Polices apply at four
distinct locations 1) Local, 2) Site, 3) Domain root, and 4) OU (and
sub-ous).

 

Jerry

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Hendrikus Terwint (SEDIRSI-Prestataire)
Sent: Thursday, April 03, 2008 9:54 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] "Log on as a service" configured twice

 

Hi,

 

Anyone knows whether the "Log on as a service" policy is cumulative or if it
replaces previous values if it's been configured twice (on a parent OU as
well as on a child OU) ?

 

Case:

 

      OU=Administration

            GPO=Logon_as_service1

         OU=Site A

               GPO=Logon_as_service2

         OU=Site B

               GPO=Logon_as_service3

 

 

GPO=Logon_as_service1

Log on as a service

Value: GROUP1

Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment

 

GPO=Logon_as_service2

Log on as a service

Value: GROUP2

Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment

 

GPO=Logon_as_service3

Log on as a service

Value: GROUP3

Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment

 

Objects in Site A require GROUP2 as well as GROUP1 for registering a process
as a service.

Objects in Site B require GROUP3 as well as GROUP1 for registering a process
as a service.

 

Could GPO=Logon_as_service1 provide GROUP1 (through inheritance) to Site A
and Site B objects, or do we have to add the value "GROUP1" to both GPOs
Logon_as_service2 + Logon_as_service3 ?

 

Thanks in advance!

 

Hendrikus

Other related posts: