Permanently disable print spooler service on domain controller

Question

I am using Windows Server 2019 as domain controller. I disable print spooler service as a security measure. But the service starts automatically after some hours. When it checked in event logs it shows that SYSTEM user has started this print spooler service. How can I permanently disable print spooler service on domain controller. Thanks

Answer 1

I use GPOs to force the service to remain disabled on my DCs and other servers. Have not had an issue with them restarting on mine.

Answer 2

Thank You for the reply.

Few days before i created the GPO as you advised. But i see that permissions and auditing is not defined in my case. Plz tell it permissions and auditing are necessary to get result.

Regards

Answer 3

I believe in my example my intention was to prevent anyone (i.e., my admins) from being able to change or start the service. I did that by denying the NT AUTHORITY\INTERACTIVE identity which applies to anyone who logs into the system "interactively".

With that said, I'm sure I've done testing in the past where I started the service (had to remove that deny permission to do so) and when I ran gpupdate it would immediately stop and disable the service again.

I can't imagine any reason your GPO would not work for you unless it somehow was not properly applying to your domain controllers. Did you run a GPResult to validate that it was?

If it was, you could try adding another deny entry but for NT AUTHORITY\SYSTEM, seeing how it is the one restarting your service based on your OP, however I would caution against that because if you ever want to remove that GPO, it may not properly remove it from the DC since I believe that's all done under the SYSTEM identity. May end up locking yourself out of that service entirely.

-Matthew