Security Question
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
Security Question

 
Post new topic   Reply to topic    Windows Server Forum Index -> MOM
Author Message
Gordon
Guest
Posted: Wed Dec 22, 2004 11:13 pm    Post subject: Security Question Reply with quote
I am trying to set up the Management Server Action Account as a low
privelleged Account by making it a domain user and giving it the following
rights on each of my Windows 2003 agents:

• Member of the local Users group
• Member of the local “Performance Monitor Users” group
• “Manage auditing and security log” permission (SeSecurityPrivilege)
• “Allow log on locally” permission (SeInteractiveLogonRight)

I have 200 servers, and obviuosly do not want to visit each machine so I am
trying to set up a group policy to populate these rights on each server, now
i have a couple of issues with this, firstly, I can easily set up the User
rights assignment but how can I populate the local groups, I believe with
group policy the only way to populate a local group is using "restricted
groups" but if I understand correctly this only effects the local
administrators group, so how do i get the action account in the “Performance
Monitor Users” for example,

Also, how do i set these local permissions against a domain controller which
has no local groups?

any ideas greatly appreciated.

Gordon
Back to top
James Morey
Guest
Posted: Thu Jan 06, 2005 6:45 am    Post subject: Re: Security Question Reply with quote
Just curious - why are you doing this?

--
=====================
NOTE - This posting is provided "AS IS" with no warranties, and confers no
rights.

James Morey | Microsoft | Windows & Enterprise Management Division
=====================


"Gordon" <Gordon@discussions.microsoft.com> wrote in message
news:F987BC8E-6BDB-4B77-9CEE-B07141BE112A@microsoft.com...
Quote:
I am trying to set up the Management Server Action Account as a low
privelleged Account by making it a domain user and giving it the following
rights on each of my Windows 2003 agents:

. Member of the local Users group
. Member of the local "Performance Monitor Users" group
. "Manage auditing and security log" permission (SeSecurityPrivilege)
. "Allow log on locally" permission (SeInteractiveLogonRight)

I have 200 servers, and obviuosly do not want to visit each machine so I
am
trying to set up a group policy to populate these rights on each server,
now
i have a couple of issues with this, firstly, I can easily set up the User
rights assignment but how can I populate the local groups, I believe with
group policy the only way to populate a local group is using "restricted
groups" but if I understand correctly this only effects the local
administrators group, so how do i get the action account in the
"Performance
Monitor Users" for example,

Also, how do i set these local permissions against a domain controller
which
has no local groups?

any ideas greatly appreciated.

Gordon
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> MOM All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB