This article describes how to use Group Policy to set security for system services for an organizational unit in Windows Server 2003.
When you implement security on system services, you can control who can manage services on a workstation, member server, or domain controller. Currently, the only way to change a system service is through a Group Policy computer setting.
If you implement Group Policy as the Default Domain Policy, the policy is applied to all computers in the domain. If you implement Group Policy as the Default Domain Controllers policy, the policy applies only to the servers in the domain controller's organizational unit. You can create organizational units that contain workstation computers to which policies can be applied. This article describes the steps to implementing a Group Policy on an organizational unit to change permissions on system services.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the domain to which you want to add the organizational unit, point to New, and then click Organizational Unit.
Type a name for the organizational unit in the Name box, and then click OK.
The new organizational unit is listed in the console tree.
Right-click the new organizational unit that you created, and then click Properties.
Click the Group Policy tab, and then click New. Type a name for the new Group Policy object (for example, use the name of the organizational unit for which it is implemented), and then press ENTER.
Click the new Group Policy object in the Group Policy Objects Links list (if it is not already selected), and then click Edit.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.
In the right pane, double-click the service to which you want to apply permissions.
The security policy setting for that specific service is displayed.
Click to select the Define this policy setting check box.
Click Edit Security.
Grant the appropriate permissions to the user accounts and groups that you want, and then click OK.
Under Select service startup mode, click the startup mode option that you want, and then click OK.
Close the Group Policy Object Editor, click OK, and then close the Active Directory Users and Computers tool.
NOTE: You must move the computer accounts that you want to manage into the organizational unit. After the computer accounts are contained in the organizational unit, the authorized user or groups can manage the service.