Add Service User to Local Administrators Group via Group Policy

This article provides you with guidelines on how to add the SysKit service user to the Local Administrators security group via Group Policy on each server you plan to monitor.

Add Service User to Local Administrator security group through restricted groups

If you plan to monitor a lot of servers, it is much easier to configure the service user permissions via a group policy. By adding our service user to the restricted groups, you will define his privileges across your domain. You can fine-tune administrative privileges via Organizational Units.

Create a security group in Active Directory

  1. Open Active Directory Users and Computers, expand ‘Domain’, right-click Users, click New, and then click Group.
  2. In the New Object – Group dialog box, type in Group Name, and then click OK.

    Active Directory Users and Computers - New Object - Group

  3. Right-click the newly created Group, select Properties, navigate to the Members tab, click on the Add… button and enter designated users to the group. Add other users that also need administrative privileges, if necessary.

    Add members to the group

  4. Open Group policy management in the Administrative tools on your domain controller.

    Group Policy Management

  5. If you do not have your SysKit/Administrators custom domain policy right-click on the Default Domain Policy and choose Edit.
  6. Find the policy setting Computer Configuration > Policies > Windows settings > Security settings > Restricted groups.
  7. Right click on the Restricted groups and select Add group.
  8. In the Add group dialog box, click Browse or type in the previously created group.

    Add Group

  9. After clicking OK, the following window will appear:

    Local Administrators Group Properties - Administrators

    If you added users or groups into the “Members of this group” box, you would advise the Restricted Groups feature to put the users and groups you selected into the ‘Local Administrators’ group. Restricted Groups would then replace the current members of the ‘Local Administrators’ group with the users and groups you filled into the box.

    As you do want to configure membership of your ‘Local Administrators’ group and assign it to the Administrators group on your client machines, the lower box “This group is member of” is the correct one.

  10. Click Add and type in the name of the group, you want ‘Local Administrators’ to be member of. In this case, “Administrators”. Then click Apply and OK and close all windows.

Set “Logon as a service user” for the SysKit service user

It is important to define a Domain group policy that is going to allow the service user to “Logon as a service user.” Here is what you need to do:

  1. First open Group policy management under Administrative tools on your domain controller.
  2. If you do not have the SysKit custom domain policy, right-click on Default Domain Policy and choose Edit.
  3. Find the policy setting Computer Configuration > Policies > Windows settings > Security settings > Local Policies > User rights assignments > Logon as a service and add the service user that you created earlier.
    The service user will have “Logon as a service” right on each server. This step is required for SysKit to run properly.

    Logon as a service