Important Notice: On February 29th, this community will be put into read-only mode. All existing posts will remain but customers will be unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Best way to setup deployment user for "Log On As a Service"?

I'm trying to determine the best practice for this particular need (having a deployment user with Log On As a Service [LOAAS] rights on my target domain clients).

One of the first errors I encountered during my PDQ Deploy trial period was my domain/administrator account not having LOAAS rights on my target PCs.  So during testing I created a test GPO that gave my domain\administrator account LOAAS rights to the test clients in my test OU.  Worked great.

Now I'm looking for a good way to do this to my production OUs without having to add 50 more links to yet another GPO just for this particular need.  I've never had a need before to set LOAAS rights domain-wide or even OU-wide, so I'm struggling with why I even need to do this.

I'm generally loathe to modify my Default Domain Policy so I don't want to apply it there, and I don't plan to deploy stuff to servers through PDQDeploy so I don't want to link this new "LOAAS GPO" at the domain level.  But then I don't really want to have to link it to each one of my (lots of) target production OUs either and clutter up my GPMC any more than I have to.  

Is there a better way to do this?  Should I even be using my domain\administrator account for this?  

I'd love to hear how others are fulfilling this LOAAS requirement with the least amount of fuss and security implications.  Thanks!



1 comment
Date Votes
  • Hi Brad,

    Assuming you are deploying with Admin rights the Log On As A Service right will be granted as part of the deployment. This is why most folks don't need to worry about it. However if you have a policy (usually enforced via GPO) that denies this right to all but certain accounts then you'll need to change the policy to add the Deployment User account(s). 

    This right is needed because all deployments are actually carried out by a Windows Service that is created as part of a deployment. This service is called PDQDeployRunner-n. (The n is usually 1 but it could be 2, 3, 4 etc. depending on other deployments taking place on the machine). This is why PDQ Deploy doesn't need an agent. The service is created at the beginning of the deployment and then the service logs on as the Deploy User. When the deployment is completed the service gets deleted.

    It sounds like your environment will require that this be resolved from the Domain level. If you look at the comments in the forum post below you'll see that one PDQ Deploy user had a GPO that actually stripped out accounts that had been given this right. Sounds like a similar situation to yours.


Please sign in to leave a comment.

Didn't find what you were looking for?

New post