This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I've searched for many weeks now if it's safe to remove NTSERVICE\ALL SERVICES from 'Log on as a service' User right assigment in a GPO for a server.
Goal here is to increase my GPO's security. I do want to limit to the strict autorized service accounts to log on my servers. When a GPO containing Log on a service is created, by default NTSERVICE\ALL SERVICES is granted.
Is there any issue with removing this default permission and putting directly my Service accounts identities?
Is it possible to have a workaround ureplacing NTSERVICE\ALLSERVICES with NTAUTHORITY\NETWORKSERVICE or LOCALSERVICE or SERVICE?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Meot, Louis,
Thank you for posting in Q&A forum.
Is there any issue with removing this default permission and putting directly my Service accounts identities?
A: I think you can remove this default permission and add your service accounts.
However, you should also change service account from default permission to your service account on specific service on that server.
For more information, please read this link below.
https://theitbros.com/logon-as-a-service/
Hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Is it possible to have a workaround replacing NTSERVICE\ALLSERVICES with NTAUTHORITY\NETWORKSERVICE or LOCALSERVICE or SERVICE?