Share via

Safe removal of NT SERVICE\All services from GPO log on as a service

Anonymous
2023-08-22T08:21:16.2633333+00:00

I've searched for many weeks now if it's safe to remove NTSERVICE\ALL SERVICES from 'Log on as a service' User right assigment in a GPO for a server.

Goal here is to increase my GPO's security. I do want to limit to the strict autorized service accounts to log on my servers. When a GPO containing Log on a service is created, by default NTSERVICE\ALL SERVICES is granted.

Is there any issue with removing this default permission and putting directly my Service accounts identities?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-08-23T01:06:38.46+00:00

    Hello Meot, Louis,

    Thank you for posting in Q&A forum.

    Is there any issue with removing this default permission and putting directly my Service accounts identities?
    A: I think you can remove this default permission and add your service accounts.

    However, you should also change service account from default permission to your service account on specific service on that server.

    For more information, please read this link below.
    https://theitbros.com/logon-as-a-service/

    Hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.