Discussion:
Can you add services to a GPO's System Services node?
(too old to reply)
AI
2005-07-13 21:57:05 UTC
Permalink
In GPOs, under Computer Configuration->Windows Settings->Security Settings
there is a System Services node that allows the group policy to configure
services on computers to which the policy is applied. I had previously
thought that this was limited to services that come with the OS distribution,
but I noticed that this list also includes services for anti-virus software
that is installed on the domain controllers. Seeing that this list can be
expanded beyond the standard set of services, I poked around the
documentation to find out how to add services that are not installed on the
domain controller (so that the policy can control services, that, for
example, are only installed on workstations), but I couldn't find an answer.
Is this possible, or can group policy only control services that exist on the
domain controllers?
GeeB
2005-07-13 22:29:17 UTC
Permalink
Yes, you can add any service at all, including third-party or custom built
services. What you see in the 'System Services' are the services that are
installed on that machine you are running the GPEditor/GPMC.

To get it from another machine that doesn't have ADUC/GPMC...
- Logon to the machine that has the service you want to manage.
- Run Start>Run>MMC
- Add the 'Security Policy Templates' snapin
- Create a new template
- Edit that template's 'System services' node and you'll see the services on
that machine. Simply add the service you want to the policy by just adding
the default setting (Automatic/Everyone-FC). Don't set ay other policies,
just the services you want. Note: Not knowing the OS and what GP editor you
are running, leaving the defaults for this step is recommended as there as
some known issues.
- Save the file
- Copy that file to the machine where you run the GP Editor (ex. Domain
Controller).
- Edit your desired policy and go to the 'Security' node, right-click,
choose import to import the file with the service you just grabbed.
- Your service is now in the policy. Just edit the service with the proper
permissions and startup state as desired.

Hope that helped.
G
Post by AI
In GPOs, under Computer Configuration->Windows Settings->Security Settings
there is a System Services node that allows the group policy to configure
services on computers to which the policy is applied. I had previously
thought that this was limited to services that come with the OS distribution,
but I noticed that this list also includes services for anti-virus software
that is installed on the domain controllers. Seeing that this list can be
expanded beyond the standard set of services, I poked around the
documentation to find out how to add services that are not installed on the
domain controller (so that the policy can control services, that, for
example, are only installed on workstations), but I couldn't find an answer.
Is this possible, or can group policy only control services that exist on the
domain controllers?
AI
2005-07-14 14:49:02 UTC
Permalink
That works, thanks for your help!

Loading...