-
1. Re: What all permissions needed for the local server account
Soundappan Shanmugam Dec 16, 2015 1:14 AM (in response to Soundappan Shanmugam)will the below GPO work the local account?
can the below be part of the the local account? and will it work fine?
- Deny access to this computer from the network
- Deny log on as a batch job
- Deny log on as a service
- Deny log on locally
-
2. Re: What all permissions needed for the local server account
Bill RobinsonDec 16, 2015 7:06 AM (in response to Soundappan Shanmugam)
do those settings allow you to perform whatever actions you need to as the mapped user ?
what actions do you need to perform on the target server ? what privileges does the OS Vendor say you need to perform those actions ? why would we provide a list of privileges that should be supplied by the OS Vendor ?
-
3. Re: What all permissions needed for the local server account
Soundappan Shanmugam Dec 16, 2015 7:39 PM (in response to Bill Robinson)Currently we are planning to have a local user account which is added part of local admin group
But as per standards of the organizations the local account should have the below restrictions
- Deny access to this computer from the network
- Deny log on as a batch job
- Deny log on as a service
- Deny log on locally
I can get the point that deny logon locally and as batch job can be good but not sure of the other two points mentioned and if that is passed on for the local account will as usual patching or any other work related tasks can work via blade logic is my Q Bill Robinson
-
4. Re: What all permissions needed for the local server account
Yanick Girouard Dec 17, 2015 8:06 AM (in response to Soundappan Shanmugam)The BladeLogicRSCD account must be part of the Logon as Batch Job policy, and so does the impersonnation user, whether you use automation principals or impersonnation mapping.
-
5. Re: What all permissions needed for the local server account
Bill RobinsonDec 18, 2015 4:19 PM (in response to Soundappan Shanmugam)
Iirc the most restrictive permissions should take effect, so the ‘deny logon as batch job’ might be a problem. the others should not be. try it and see what happens.