Best way to setup deployment user for "Log On As a Service"?
I'm trying to determine the best practice for this particular need (having a deployment user with Log On As a Service [LOAAS] rights on my target domain clients).
One of the first errors I encountered during my PDQ Deploy trial period was my domain/administrator account not having LOAAS rights on my target PCs. So during testing I created a test GPO that gave my domain\administrator account LOAAS rights to the test clients in my test OU. Worked great.
Now I'm looking for a good way to do this to my production OUs without having to add 50 more links to yet another GPO just for this particular need. I've never had a need before to set LOAAS rights domain-wide or even OU-wide, so I'm struggling with why I even need to do this.
I'm generally loathe to modify my Default Domain Policy so I don't want to apply it there, and I don't plan to deploy stuff to servers through PDQDeploy so I don't want to link this new "LOAAS GPO" at the domain level. But then I don't really want to have to link it to each one of my (lots of) target production OUs either and clutter up my GPMC any more than I have to.
Is there a better way to do this? Should I even be using my domain\administrator account for this?
I'd love to hear how others are fulfilling this LOAAS requirement with the least amount of fuss and security implications. Thanks!