Can you add services to a GPO's System Services node?

Discussion in 'Active Directory' started by AI, Jul 13, 2005.

  1. AI

    AI Guest

    In GPOs, under Computer Configuration->Windows Settings->Security Settings
    there is a System Services node that allows the group policy to configure
    services on computers to which the policy is applied. I had previously
    thought that this was limited to services that come with the OS distribution,
    but I noticed that this list also includes services for anti-virus software
    that is installed on the domain controllers. Seeing that this list can be
    expanded beyond the standard set of services, I poked around the
    documentation to find out how to add services that are not installed on the
    domain controller (so that the policy can control services, that, for
    example, are only installed on workstations), but I couldn't find an answer.
    Is this possible, or can group policy only control services that exist on the
    domain controllers?
    AI, Jul 13, 2005
    1. Advertisements

  2. AI

    GeeB Guest

    Yes, you can add any service at all, including third-party or custom built
    services. What you see in the 'System Services' are the services that are
    installed on that machine you are running the GPEditor/GPMC.

    To get it from another machine that doesn't have ADUC/GPMC...
    - Logon to the machine that has the service you want to manage.
    - Run Start>Run>MMC
    - Add the 'Security Policy Templates' snapin
    - Create a new template
    - Edit that template's 'System services' node and you'll see the services on
    that machine. Simply add the service you want to the policy by just adding
    the default setting (Automatic/Everyone-FC). Don't set ay other policies,
    just the services you want. Note: Not knowing the OS and what GP editor you
    are running, leaving the defaults for this step is recommended as there as
    some known issues.
    - Save the file
    - Copy that file to the machine where you run the GP Editor (ex. Domain
    - Edit your desired policy and go to the 'Security' node, right-click,
    choose import to import the file with the service you just grabbed.
    - Your service is now in the policy. Just edit the service with the proper
    permissions and startup state as desired.

    Hope that helped.
    GeeB, Jul 13, 2005
    1. Advertisements

  3. AI

    AI Guest

    That works, thanks for your help!
    AI, Jul 14, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.