I'm working with an issue caused by the Log on as a service policy being applied and enforced from the top of the domain hierarchy. Basically, the settings of the policy are fairly restrictive. So, administrators have used a work around that is undesirable. Any time the Log on as a service right is needed and the account is not explicitly listed in the policy, they have made the service account a member of the local Administrators group. I'd like to decrease the number of accounts in the local admins group, and I'm looking for a way to undo the policy.
I like to change the domain policy to Not Configured, but, from looking at the Managed settings and what I see on Local Security Policy consoles, it appears that if I made that change, the local policy would revert to default and only NETWORK SERVICE would have the right to log on as a service.
Does anyone have experience trying to undo this GPO setting? Will I have to determine in advance all the servers that will be affected by undoing the policy and then endure a painful maintenance window requiring server reboots and granting the right as appropriate?