I have some GPOs that I apply to all my servers, one of which sets up a few global service accounts with the "Logon as a Service" right. The problem is that if I apply this GPO to a server that already has custom entries in there (like any SQL Server with the "NT SERVER\*" accounts) those existing entries are deleted when the GPO is applied.
I need the GPO to simply ADD the names of my service accounts without deleting whatever is there.
I read about "loop-back" processing and "merge vs replace" but this appears to only affect "User Configuration". The GPO setting in question is under Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
Like I said, my current show-stopping issue is my SQL servers, which all have server-specific accounts that have been granted the "log on as service" rights during the installation of SQL Server. If I apply this policy, SQL Server services are no longer able to start on the server. Obviously I can't add server-specific accounts to my GPO--the list would become unmanageable almost immediately.
How do I make this policy ADDITIVE instead of DESTRUCTIVE? Any ideas would be appreciated!
