Hello,

I am required to install some log forwarding software (Splunk) across our entire Windows environment.  The software requires the following permissions on the service account that it runs under:

Full control over Splunk's installation directory
Read access to any files that will be indexed
Permission to log on as a service
Permission to log on as a batch job
Replace a process level token
Permission to act as part of the operating system
Permission to bypass traverse checking

I attempted to push these permissions out using a GPO but during testing I realized that while the GPO successfully granted these permissions to the splunk service account it also removed any other permissions for any other user accounts.  For example the ONLY account with replace a process level token was the splunk service account, all other accounts were removed by the GPO.

I only want to add this account with the above permission, I don't want to alter any existing permissions and I need to push this out to the entire Windows Domain (this includes 2000, 2003, 2008, and 2008R2).  Can this be done via GPO?

Thanks.

you need to provide more information. how you configred the GPO? there should be something wrong. what's the OS on the server?

Perhaps this will clarify my situation, this is directly from the Splunk install documentation:

 

Required Local Security Policy user rights assignments for the splunkd service:

• Permission to log on as a service
• Permission to log on as a batch job
• Permission to replace a process-level token
• Permission to act as part of the operating system
• Permission to bypass traverse checking

Using Group Policy to assign user rights domain-wide

If you want to assign the policy settings shown above to all member servers in your AD domain, you can define a Group Policy object (GPO) for these specific rights and deploy that GPO across the domain or forest using the Domain Security Policy MMC snap-in (use the Domain Controller Security Policy snap-in for domain controllers). The member servers in your domain will pick up the changes either during the next scheduled AD replication cycle (usually every 2-3 hours), or at the next boot time.

**Remember that identical Local Security Policy user rights defined on a member server are overwritten by the rights inherited from a GPO, and you can't change this setting. If you wish to retain previously existing rights defined on your member servers, they'll also need to be assigned within the GPO. **

So my understanding is that if I grant the splunk service account permission to log on as a service and the push that out via GPO, then ONLY the splunk service account will have permission to log on as a service.  All other pre-existing permissions will be removed by the GPO above.  As it also states "If you wish to retain previously existing rights defined on your member servers, they'll also need to be assigned with the GPO."

I would be impossible to include all service accounts in our entire forest using this GPO.  Surely there's another way?

The introduction does not tell how to do that via GPO. so it's hard to say whether the other pre-existing permissions will be removed by the GPO. since the introduction is from splunk.com, you'd better ask splunk http://answers.splunk.com/

Hi dbutch1976,

If I'd be you I'd go this way :

1. create a domain user account for the splunk application.

2. either add this new account on the local administrators group on servers that need  it (using GPO - Restricted groups)

OR use GPO to ADD the new account to the existing list of  users who already have the "log on as a service", "log on as a batch job" and so on rights.

3. set the splunkd service to be run under the newly created account (using GPP - Services )

 

 

Here is a small test I performed today:

1.  Created a new account in AD called Splunkd

2.  Created a new OU called splunktest

3.  Add the computer called splunkdcomputer to the Splunktest OU.

4.  Log into splunkdcomputer and granted several accounts permission to log on as a service  (service1, service2, service3)

5.  Verify that all three service accounts appear with the log on as a service permission on the local computer.

6.  Configure a GPO to grant log on as a service permission to the splunkd account.

7.  Move the Splunkdcomputer account into the splunktest OU.

8.  From splunkdcomputer perform a gpupdate /force.

9.  Open the local sercurity policy.  Now the ONLY account that has permission to log on as a service is the splunkd account.

This is completely unacceptable!  My domain has dozens of unique service accounts and if this GPO removes them all and only leaves the splunkd account then services across my domain will come crashing down!

On the other hand, I can't add all the required service accounts across my entire domain to the GPO because that would grant them permissions across the domain, to systems they don't even use!

I am trying to avoid manually adding the splunkd service account to each system in my domain.  There has got to be a way to simply append this account to the local computers security policy, not overwrite it!  Can this be done through the command line?  If it can I could probably add it to my installation script.

 

Hello, I still need assistance with this issue.  Someone has suggested using NTRIGHTS.EXE which is part of the  Windows NT Resource Kit Supplement Two.  More details can be found here:

http://www.windowsitpro.com/article/resource-kit/how-can-i-grant-user-rights-from-the-command-line-.aspx

The problem I'm assuming I'm going to need to roll the .exe file out across my domain in order to make it work.  Does anyone have experience with ntrights.exe?

Hi dbutch1976,

If you change them from default, you have to write down NOT ONLY your account, but the default accounts too. For that, the simplest way is to get on a server, check the policies you want to change and see what groups/users are assigned for each of them. And all you have to do is to ADD them also !

P.S. In the Explanation tab of the policy, you'll also have the default groups/users for each of them ("log on as a service" and "log on as a batch job").

I don't think I understand.  How can I roll such a GPO out company-wide?  If I have a custom service account running my Virtual Center on one server and it requires run as a service permission I don't want to add the account to my GPO because that would grant run as a service permission to any computer the GPO is applied to.  Overwriting the existing permissions on any machine is not my goal here.  I simply want to just add this single account.  I'm beginning to think that it's no possible via GPO.

I also don't think I can do this across my domain because the ntrights.exe tool I found apparently only works on Pre-Windows 2008 Operating Systems.

dbutch1976,

If you don't want to grant the account splunkd "run as a service" permission to any computer the GPO is applied, you should revise your product choice. Because as far as I understand from your initial statement, the program Splunk asks for it :

Full control over Splunk's installation directory
Read access to any files that will be indexed
Permission to log on as a service
Permission to log on as a batch job
Replace a process level token
Permission to act as part of the operating system
Permission to bypass traverse checking

So, either you get rid of your Splunk software or play the music doing the changes as I mentioned => at your point 6 of the test you ADD SPLUNKD + ALL OTHER GROUPS / USERS mentioned in my last message above.

And yes, you can always ask the vendor for another solution acceptable for you.

• Proposed as answer by Voldar Tuesday, March 29, 2011 12:31 AM
• Marked as answer by dbutch1976 Wednesday, March 30, 2011 1:51 PM

I'm disappointed that this appears to be the only route I can take, but all my research seems to indicate that your statement is correct.  Thanks for the help.

Crikey, what an annoying set of non-answers! I dont usually answer questions but after reading all this non-sense I feel compelled to assist. Even basic comprehension of the question seems to be a struggle for the most of the respondance!

Rant over!

My understanding of the issue is this:

You need to Append a new domain user to the list existing local Logon as Service users across machines in your domain via group policy. Effectively merging the existing local list with a new domain user assigned via GPO (group policy object).

This can be tricky for some User rights assignment features, however not for Logon as Service

Fix #1:

Create a new GPO: Service_Accounts

Edit policy:

1. ..firstly lets give your splunk account local admin on all boxes since its covers off all required permissions dont worry, well secure the account so it cant be abuses see step 2

Computer/Preferences/Control Panel Settings/Local Users and Groups/Group (Name: Administrators (builtin))Administrators/Local Group

Properties:

-       Group name: Administrators

-       Delete all members: Disabled

-       Delete all member groups: disabled

-       Add Members: YourDomain\YourSplunkAccount

1. Lets prevent the splunk account from being used as a standard admin account (secure it as a service account)

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment/

Properties:

-       Deny log on locally: YourDomain\YourSplunkAccount

-       Deny log on through terminal services: YourDomain\YourSplunkAccount

Done..

Fix #2:

User group policy loop-back mode and set it to merge

• Marked as answer by dbutch1976 Friday, October 04, 2013 2:44 PM

Thanks so much for your reply!  That issue was from years ago, the only way I was able to make it work was to create a script which manually modified the local permissions on the server for the Splunk service account, then use the script to install splunk on all servers across my domain. 

It worked, but it was totally rediculous way to do things and I had a feeling there was a better way.  If I ever encounter this again I will definately keep this in mind!

Nice work, glad you got it sorted!

Oh "Tilling" what an excellent and most useful reply I have been looking around and waiting for this kind of an answer to arise.  I will put this into motoin...

And of course I will ensure that my Spunk account is always most secure.

Just super! I will sleep sound knowing littlebusman's Spunk is safe:)

• Edited by Tilling Friday, October 04, 2013 3:22 PM

Really got to watch the spelling with Splunk.  I knew someone who forwarded an e-mail to several people taking about an issue he had with his "thick disk" that had an unfortunate spelling error in it.

• Edited by dbutch1976 Friday, October 04, 2013 3:21 PM

dbutch1976,

I am having the same problem as described in this post, and I was not familiar with the loop-back option you mentioned.  Unfortunately, I do not see how that will fix my problem, since this setting appears to only apply to "User Configuration" options, not "Computer Configuration", which is where the GPO is applying the "Log on as a service" setting.  Am I missing something?