I've searched for many weeks now if it's safe to remove NTSERVICE\ALL SERVICES right from 'Log on as a service' User right assigment.
Goal here is to increase my GPO's security. I do want to limit to the strict autorized service accounts to log on my servers. When a GPO containing Log on a service is created, by default NT SERVICE\All service is granted.
Is there any issue with removing this default permission and putting directly my Service accounts identities?
ALL SERVICES
group to log on as a service by default. Be careful about overwriting any existing members, as services like IIS or hyper-v tend to add their stuff to the ALL SERVICES group too.NTSERVICE\ALL SERVICES
from 'Log on as a service' user right assignment is not safe. Every service uses that SID for 'log on as a service' rights'. You would have to add every virtual account (learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/…) likeNT Service\Spooler
to that group, which would be a different list per-computer