Logon as a Service/Batch Job at scale

Recently at a customer there was an issue with a GPO and a service that couldn’t start due to User Rights Assignments being configured wrong. They were using a GPO per server to define this, but using a GPO per server isn’t very scalable and friendly to manage. The solution? Group policy preferences!

We start by creating a GPO and navigating to Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Computers. We right click and select New -> Local Group.

We leave the action as Update. We give the group a name, in our case we name it CLADM-LogOnAsService. We give the group a description, in our case we use the following description: Members of this group are granted the Logon as a Service permission on the local server. Because we don’t want rogue permissions, we will check the boxes to Delete all member users and Groups. In the Members section, we click on Add.. and enter %DomainName%\GGADM-%ComputerName%_LogonAsService.

We repeat the same steps but use CLADM-LogOnAsBatch this time with the description Members of this group are granted the Logon as a Batch Job permission on the local server. and under Add Members we use %DomainName%\GGADM-%ComputerName%_LogonAsBatch instead.

Now we navigate to Computer Configuration -> Policies -> Security Settings -> Local Policies -> User Rights Assignment. Here we will add CLADM-LogOnAsService and NT SERVICE\ALL SERVICES to Log on as a service policy settings and click OK.

And we add CLADM-LogOnAsBatch to Log on as a batch job policy settings and click OK.

Now all that’s left is linking the GPO in the OU where you want this dynamic system to apply and creating the groups GGADM-COMPUTERNAME_LogonAsService and/or GGADM-COMPUTERNAME_LogonAsBatch for the specific devices and adding the (service) accounts as members.

In the scenario of my customer, this will replace 50 GPOs by 1 GPO and replace it with 50 groups. And even allowing it to be integrated with Service-Now/SailPoint to automate the process of granting and revoking Logon as a Service/Batch Job permissions with request items.

It might be possible that some additional GPOs might be needed for scenarios that have an IIS server and you’re using the IIS App Pool identity such as ConfigMgr servers. Kenneth Van Surksum on Modern Workplace Blog goes deeper on how to apply the settings in the GPO for these edge cases.