I'm trying to determine the best practice for this particular need (having a deployment user with Log On As a Service [LOAAS] rights on my target domain clients).
One of the first errors I encountered during my PDQ Deploy trial period was my domain/administrator account not having LOAAS rights on my target PCs. So during testing I created a test GPO that gave my domain\administrator account LOAAS rights to the test clients in my test OU. Worked great.
Now I'm looking for a good way to do this to my production OUs without having to add 50 more links to yet another GPO just for this particular need. I've never had a need before to set LOAAS rights domain-wide or even OU-wide, so I'm struggling with why I even need to do this.
I'm generally loathe to modify my Default Domain Policy so I don't want to apply it there, and I don't plan to deploy stuff to servers through PDQDeploy so I don't want to link this new "LOAAS GPO" at the domain level. But then I don't really want to have to link it to each one of my (lots of) target production OUs either and clutter up my GPMC any more than I have to.
Is there a better way to do this? Should I even be using my domain\administrator account for this?
I'd love to hear how others are fulfilling this LOAAS requirement with the least amount of fuss and security implications. Thanks!
Please sign in to leave a comment.