0

I've searched for many weeks now if it's safe to remove NTSERVICE\ALL SERVICES right from 'Log on as a service' User right assigment.

Goal here is to increase my GPO's security. I do want to limit to the strict autorized service accounts to log on my servers. When a GPO containing Log on a service is created, by default NT SERVICE\All service is granted.

Is there any issue with removing this default permission and putting directly my Service accounts identities?

Improve this question
3
  • If you use any group/managed service accounts(MSA/GMSA), they use the ALL SERVICES group to log on as a service by default. Be careful about overwriting any existing members, as services like IIS or hyper-v tend to add their stuff to the ALL SERVICES group too.
    – Cpt.Whale
    Commented Aug 21, 2023 at 17:23
  • Since it is a local SID, I don't understand with all stuff is added to this group. I do belive that it is a quick fix to allow access without restriction.
    – mtlllll
    Commented Aug 22, 2023 at 8:22
  • It looks like removing NTSERVICE\ALL SERVICES from 'Log on as a service' user right assignment is not safe. Every service uses that SID for 'log on as a service' rights'. You would have to add every virtual account (learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/…) like NT Service\Spooler to that group, which would be a different list per-computer
    – Cpt.Whale
    Commented Aug 22, 2023 at 13:55

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .