So its a best practice to use a domain account for services .... ie backup software, SQL, exchange etc.
And if you have a service account that needs to hit the majority of computers in the network then you would use a group policy.
Problem that I have... is that when you use a group policy to add "Log on as a service" - then you cant add one to a server that only that server needs. If I have one service account user that needs Log on as a Service on only one computer - I cant add it locally... and if I want to use a GPO - I would have to create a separate GPO and filter it to that one computer.
This doesn't make sense to me and feels limited. Is there a policy that I can use for "Log on as a service" that can use item level targeting, and I can add multiple etc...
Any thoughts on how you have managed this would be helpful. I like using the GPO for obvious reasons, but I don't want to grant "Log on as a service" for the account that really only needs to have that right on one server.
In my example - I created a managed service account for SQL 2014. I only need that service account added to the SQL 2014 Server - no all servers in the domain.
Thanks
John
Alternatively - It would be nice if it was like Firewall rules.. I can create a GPO for the domain wide needs, and then add some locally as needed. If you use a GPO to manage this, then the local GPEDIT.msc option is greyed out and you cant add them locally...