This article describes how to use Group Policy to set
security for system services for an organizational unit in Windows Server 2003.
When you implement security on system services, you can control who
can manage services on a workstation, member server, or domain controller.
Currently, the only way to change a system service is through a Group Policy
If you implement Group Policy as the Default
Domain Policy, the policy is applied to all computers in the domain. If you
implement Group Policy as the Default Domain Controllers policy, the policy
applies only to the servers in the domain controller's organizational unit. You
can create organizational units that contain workstation computers to which
policies can be applied. This article describes the steps to implementing a
Group Policy on an organizational unit to change permissions on system
How to Assign System Service Permissions
- Click Start, point to Administrative Tools, and then click Active Directory Users and
- Right-click the domain to which you want to add the
organizational unit, point to New, and then click Organizational Unit.
- Type a name for the organizational unit in the Name box, and then click OK.
The new organizational unit is listed in the console
- Right-click the new organizational unit that you created,
and then click Properties.
- Click the Group Policy tab, and then click New. Type a name for the new Group Policy object (for example, use
the name of the organizational unit for which it is implemented), and then
- Click the new Group Policy object in the Group
Policy Objects Links list (if it is not already selected), and then
- Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.
- In the right pane, double-click the service to which you
want to apply permissions.
The security policy setting for that
specific service is displayed.
- Click to select the Define this policy
setting check box.
- Click Edit Security.
- Grant the appropriate permissions to the user accounts and
groups that you want, and then click OK.
- Under Select service startup mode, click
the startup mode option that you want, and then click OK.
- Close the Group Policy Object Editor,
click OK, and then close the Active Directory Users and Computers
: You must move the computer accounts that you want to manage into
the organizational unit. After the computer accounts are contained in the
organizational unit, the authorized user or groups can manage the service.