SharePoint 2016 : User Rights Assignment GPO

Post author:admin
Post published:January 30, 2018
Post category:Group Policy / IT / Microsoft / SharePoint 2013 / SharePoint 2016 / Windows Server / Windows Server 2012

Following are the User Rights Assignments settings GPO required to run SharePoint successfully if your Windows Server OS is in locked down mode.

Service Accounts:
SPServiceApps : Runs Service Applications
SPWebApps: Runs the Web Applications
SPFarm : Runs the SharePoint Timer and Administrative Service
SPConent: Default Content Access Account for the Search Service Application
Sqluser: Run the SQL server agent service and Database Engine service

GPO: Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment

Policy	Setting
Act as part of the operating system	NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Adjust memory quotas for a process	CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, BUILTIN\Administrators
Back up files and directories	BUILTIN\Administrators
Bypass traverse checking	NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\sqluser, CONTOSO\SPFarm, NT AUTHORITY\Authenticated Users
Change the system time	NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone	NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone	NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefile	BUILTIN\Administrators
Create global objects	NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create symbolic links	BUILTIN\Administrators
Debug programs	BUILTIN\Administrators
Force shutdown from a remote system	BUILTIN\Administrators
Generate security audits	NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\SPFarm
Impersonate a client after authentication	T AUTHORITY\SERVICE, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPContent, BUILTIN\Administrators
Increase a process working set	BUILTIN\Administrators
Increase scheduling priority	BUILTIN\Administrators
Log on as a batch job	BUILTIN\Performance Log Users, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, CONTOSO\SPContent, BUILTIN\Administrators
Log on as a service	NT SERVICE\ALL SERVICES, CONTOSO\sqluser, CONTOSO\SPWebApps, CONTOSO\SPFarm, CONTOSO\SPServiceApps, CONTOSO\SPContent, BUILTIN\Administrators
Manage auditing and security log	BUILTIN\Administrators, CONTOSO\Domain Admins, CONTOSO\SPAdmin
Modify an object label	BUILTIN\Administrators
Modify firmware environment values	BUILTIN\Administrators
Perform volume maintenance tasks	BUILTIN\Administrators
Profile single process	BUILTIN\Administrators
Profile system performance	NT SERVICE\WdiServiceHost, BUILTIN\Administrators
Replace a process level token	CONTOSO\SPFarm, CONTOSO\SPServiceApps, CONTOSO\SPWebApps, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Restore files and directories	BUILTIN\Administrators
Take ownership of files or other objects	BUILTIN\Administrators

Tags: GPO, SharePoint 2013, SharePoint 2016, Windows Server 2012 R2, Windows Server 2016

I am a goal-oriented Infrastructure System Engineer and Information System Security Officer with over 10 years’ of experience in planning and implementation of network, servers, virtualization and security technologies . Background includes hands-on experience with multi-platform, LAN/WAN environments, assessing and implementation of security controls in using ODAA and RMF guidance. Demonstrated record of success in migrating, troubleshooting Servers and increasing efficiency.

You Might Also Like

Nagios: A Comprehensive Guide to Installation and Configuration

Windows Firewall log file empty.

Seamless SharePoint Access: Enabling Integrated Windows Authentication in Browsers