[gptalk] Re: GP for IIS and SQL

  • From: "Blackshaw, Dave" <Dave.Blackshaw@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 17 Apr 2007 09:30:50 +0100



As LP says (without mentioning it), you need a domain account under which to 
run the SQL service.  You can then grant this “local administrator rights” 
using the batch file provided below.


However, the domain SQL service account will also require the following rights 
on each SQL server which can be achieved through GPO:


Act as part of the operating system (SeTcbPrivilege)

Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege)

Lock pages in memory (SeLockMemoryPrivilege)

Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)


You’ll also need to enable the following services to run, if you’re restricting 




For IIS, it’s a little more complicated due to the machine-specific “IUSR_xxxx” 
and “IWAM_xxxx” user accounts.  To get around this, each IIS server should have 
two local groups defined on it, e.g. “Local-IUSR” and “Local-IWAM”, which 
contain just these accounts, respectively.  You can then use these groups 
(without the machine-specific reference) in any GPO.  Assigning rights and 
nesting groups using a “restricted group” policy allows free-form text entry. 


Local-IWAM will require these rights:


Adjust memory quotas for a process [Increase Quotas] (SeIncreaseQuotaPrivilege)

Log on as a batch job (SeBatchLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)


Local-IUSR needs to be moved out of the local Guests group and will require:


Allow log on locally [Log on locally] (SeInteractiveLogonRight)

Log on as a batch job (SeBatchLogonRight)


You’ll need to allow the local group IIS_WPG:


Log on as a batch job (SeBatchLogonRight)


And ASPNET will need:


Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)


Hope that makes sense to all.



Directory & Messaging Services

Int:   824432

Ext:  (01784) 874432



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Linux'o Mania
Sent: 17 April 2007 08:58
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GP for IIS and SQL


Use a batch file with following contents & put it in Computer Startup Script 
section of GPO...

net localgroup Administrators /add <domain\ID>


replace <domain\ID> with your domain's NETBIOS name & domain account or group...




"Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx> wrote:

        One of my customer having Multiple server running IIS and SQL under IIS 
and SQL OU .While applying /edit group policy i have to select manually and add 
Administrators for each 
        HOW to resolve the below issue.
        1. For ex: If i want to add sqladmin for a policy i have to add 
        server1\sqladmin, server2\sqladmin ....
        Instead adding all server names, any shortcut method 
        Available to add in single line .
        What happening in our case if io add user “server1\sqladmin” in 
group policy .it applying same user in all server. which will creating problem.
        Note:we have created similar name( sqladmin) user for this purpose .
        2.In domain server does not have IIS and SQL server installed .If i 
want create \edit a 
        Group policy for IIS and SQL server OU, Which is best option to edit 
        policy edit from domain server GPMC or from other IIS /SQL ?.
        we are facing to add file security c:\program files \MS SQL form domain 
GPMC .it not allowing to add due to path ( SQL SERVER ) not available in that 
        3.If i create system variable e:. %BACKUP% that gives the path to my 
one of 
        my backup directories. 
        If i add this directory %BACKUP% in files system security in group 
        Level, whether all server refer the same path what we given in system 
variable and 
        Apply their security setting give for the folder (%BACKUP%)
        Thanks and Regards,
        -----Original Message----- 
        From: FreeLists Mailing List Manager [mailto:ecartis@xxxxxxxxxxxxx] 
        Sent: Tue 4/17/2007 1:05 PM 
        To: Ranjan Babu .G 
        Subject: Welcome to list 'gptalk'
        Welcome to the GPOGUY.COM gptalk mailing list! The purpose of this list 
is to ask (and answer) questions regarding Windows Group Policy. This list was 
created in conjunction with the gpoguy.com website.
        To send a message to the list, send email to: gptalk@xxxxxxxxxxxxx
        The list archive is at http://www.freelists.org/archives/gptalk
        General list information is at http://www.freelists.org/list/gptalk
        To unsubscribe send email to gptalk-request@xxxxxxxxxxxxx with a 
subject of 'unsubscribe'
        We ask that you maintain proper list etiquette when asking and 
answering questions. This includes, but is not limited to:
        - Ask only questions that are relevant to Window Group Policy
        - Start a new list thread when you have a different question than in 
the original post
        - Be polite!
        - No advertising or shameless promotion of commercial products on the 
list. Its ok to mention products if its relevant to a question or if have 
product stuff in your email signature, but don't create a new post simply for 
the purposes of pitching a product
        - Did I mention that politeness is key? We reserve the right to boot 
anyone off the list is repeatedly mis-behaving
        - Finally, please set your list membership on vacation mode when you 
are out of the office and do not send OOF messages to the list.
        Thanks and again, Welcome!
        Darren (aka GPOGUY)
        mjYÊǧv)àzf¢–Ú ¦Ö¥’·ª¹ë-~·ž–+-²ŠàÂ+aº{.nÇ+‰·¢žØ^JæãyË_‰é]9ò–ˆ 
Šx"žÚ-…çëyéb²Û(®žn)íz·Úqà+r¯zÇè®Ø^–+-j·š½¨¥i¹^jØm¶Ÿÿà ­­ç¥ŠËl¢¸?j·!Š÷¬þ




Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now 

The information contained in or attached to this email is intended only for the 
use of the individual or entity to which it is addressed. If you are not the 
intended recipient, or a person responsible for delivering it to the intended 
recipient, you are not authorised to and must not disclose, copy, distribute, 
or retain this message or any part of it. It may contain information which is 
confidential and/or covered by legal professional or other privilege (or other 
rules or laws with similar effect in jurisdictions outside England and Wales).
The views expressed in this email are not necessarily the views of Centrica 
plc, and the company, its directors, officers or employees make no 
representation or accept any liability for its accuracy or completeness unless 
expressly stated to the contrary.

Centrica plc

Registered office: Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD

Registered in England and Wales No 3033654

Other related posts: