This is a pretty interesting question... here <http://msdn.microsoft.com/en-us/library/ff649254.aspx> MSFT mentions that the service control manager loads the user profile, which implies the HKCU hive -- the target of most user-level GPOs -- but it doesn't seem that a non-interactive session would ever fire gpupdate.
That said, I am having a hard time thinking of services that depend on user-level policies (computer settings and configuration files are the norm, including for .NET services with proxy settings or lack thereof). I don't doubt that there exist some exceptional services that go against the grain; one could do a .reg run as the target user... ugly, ugly. --Steve On Wed, Jul 27, 2011 at 11:09 AM, Ken Schaefer <k...@adopenstatic.com> wrote: > AFAIK User GPOs only apply to Interactive and Terminal Services logon types > – not batch, service, network logon. I’m trying to find a reference though… > > > > From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] > Sent: Wednesday, 27 July 2011 10:04 PM > > To: NT System Admin Issues > Subject: RE: FW: GPOs applying to a service account > > > > Thanks Chris—I agree that what you are saying is probably true (that is the > result we’re getting), but I’m not seeing it stated clearly in the technet > information. > > > > If that is the case, then I don’t think user-applied GPPs will work for what > we are trying to do either. Computer GPPs might work if we apply a specific > registry setting to computers for the HKCU of the account in question, but > we’ll need to do more testing. > > > > From: Christopher Bodnar [mailto:christopher_bod...@glic.com] > Sent: Wednesday, July 27, 2011 5:36 AM > To: NT System Admin Issues > Subject: Re: FW: GPOs applying to a service account > > > > This might help: > > http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx > > User GPO's won't be applied until a user logs on. A service that has a > specific account configured in the "Log On" section isn't really logging on > as far as group policy is concerned. > > > > > Chris Bodnar, MCSE, MCITP > Technical Support III > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: christopher_bod...@glic.com > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > From: Miller Bonnie L. <mille...@mukilteo.wednet.edu> > To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> > Date: 07/27/2011 05:49 AM > Subject: FW: GPOs applying to a service account > > ________________________________ > > > Resending this since I didn’t see it post nor get a notification from > Lyris—sorry if it posts twice. > > From: Miller Bonnie L. > Sent: Tuesday, July 26, 2011 1:41 PM > To: 'NT System Admin Issues' > Subject: GPOs applying to a service account > > Does anyone know the outcome of the following? > > Domain-member workstation (W7 SP1 or Wxp SP3). > Domain-member user account. > User account is configured to logon as a service on the workstation (set up > as a service account). > > When the workstation is started up, do user-based GPO settings apply to the > service account when it “logs on”? > > > We have a very specific need to set the proxy configuration for a service > account, but not for the computer as a whole (when no user is logged on), so > we can’t use proxycfg/netsh. Trying to set this using GPO “User > Config\Policies\Windows Settings\Internet Explorer Maintenance” section, > like we do for our other user accounts. If we log on interactively with the > account, the settings show up. If you let the account log on as a service > and view the settings remotely via regedit, they are not being set. > > Is this the way it is supposed to work? I can’t seem to find a good > reference for this scenario. Would GPPs maybe work better? > > Thanks, > Bonnie > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
