Hi all
I need to specify an account with 'log on as a service' rights for our enterprise antivirus program to use.
In AD (configured before i started the job) i have noticed that under default domain policies we had no such accounts specified under 'local policies > user rights assignment', but we have two acocunts specified in the policies for one of our OU's. The accounts specified include the NTSERVICE account which isn't even in the OU, neither is the other account.
I don't know why it was done like this except that the OU's group policy is for locked down domain user accounts -but i thought a 'log on as a service' account can't be used maliciously irrespective of what other policies are applied as they have no admin rights over a DC, and anyway i thought policies only affect the users specified in that OU which doesn't apply to the two 'log on as a service' accounts.
and i'm not sure whether it's good or bad practice could someone pls suggest good practive in this regard. Should i add an account to this OU policy or to the default domain policy. And where should the account be placed
I need to specify an account with 'log on as a service' rights for our enterprise antivirus program to use.
In AD (configured before i started the job) i have noticed that under default domain policies we had no such accounts specified under 'local policies > user rights assignment', but we have two acocunts specified in the policies for one of our OU's. The accounts specified include the NTSERVICE account which isn't even in the OU, neither is the other account.
I don't know why it was done like this except that the OU's group policy is for locked down domain user accounts -but i thought a 'log on as a service' account can't be used maliciously irrespective of what other policies are applied as they have no admin rights over a DC, and anyway i thought policies only affect the users specified in that OU which doesn't apply to the two 'log on as a service' accounts.
and i'm not sure whether it's good or bad practice could someone pls suggest good practive in this regard. Should i add an account to this OU policy or to the default domain policy. And where should the account be placed
