EFS Service Account Creation

Appendix G.
Creating a New Service User for a Local Edition Machine or an Enterprise Edition Station B0400EF – Rev
Figure G-7. Control Panel - User Accounts - Manage Accounts -

Change an Account - Change the Account Type
G.2 Create a New Service User in an Enterprise

Edition Machine
For enhanced security, follow the instructions to:
♦ Create a new User and a User Group on the Primary Domain Controller (PDC)
♦ Assign privileges to the User Group and add the User to the Group on the PDC
♦ Add the Group policy to deny interactive login on the PDC
♦ Update Group policies on the client workstation
NOTE
The domain name used in these examples, Foxboro.Local, may be different on your
station.
G.2.1 Create a New User

1. Open the Active Directory Users and Computers folder in the PDC.
2. Navigate to Standard (Foxboro.Local > Invensys > Accounts > Users >
Standard).
261
B0400EF – Rev P Appendix G. Creating a New Service User for a Local Edition Machine or an Enterprise Edition Station
3. Right-click Standard and select New > User and enter the name for the user as
shown in Figure G-8.
Figure G-8. Creating a New User in the PDC
4. Provide a password and select the relevant checkboxes, as shown in Figure G-9.
Figure G-9. New User Password
262
Appendix G. Creating a New Service User for a Local Edition Machine or an Enterprise Edition Station B0400EF – Rev
G.2.2 Create a New User Group Named “EFS Service”

1. Open the Active Directory Users and Computers folder in the PDC.
2. Navigate to IA Groups (Foxboro.Local > Invensys > Accounts > Groups).
3. Right-click IA Groups and select New > Group as shown in Figure G-10.
Figure G-10. Select New > Group from the Menu
4. Enter the group name as “EFS Service”, as shown in Figure G-11 and Figure G-12.
NOTE
Using a different name will not work. This is because when CS is installed after
installing EFS, EFS Service is referenced to update the GPO.
263
Figure G-11. Enter EFS Service as Name for the New Group
264
Figure G-12. EFS Service Created as a New Group
G.2.3 Assign Privileges and Add the User to the User Group
To assign administrator privileges to the group:
1. Right-click the EFS Service group and select Properties.
2. On the EFS Service Properties dialog box, click the Member Of tab.
Click Add... and add the IA Plant Admins group. The group is now added as shown
in Figure G-13.
265
Figure G-13. EFS Service Properties Dialog Box
3. On the EFS Service Properties dialog box, click the Members tab.
Click Add... and add the user you created in “Create a New User” on page 261. The
user is added as shown in Figure G-14.
266
Figure G-14. New User Added to the List of Members
G.2.4 Add the Group Policy to Deny Interactive Login

Based on CCS and CS software that are already installed on the PDC, follow the steps described
in this section.
The cases considered are:
♦ “PDC has CCS v9.4 Installed” on page 267
♦ “PDC Has a CCS Version Older Than V9.4 Installed” on page 271
♦ “PDC Has CS Installed” on page 271
G.2.4.1 PDC has CCS v9.4 Installed

1. Open Group Policy Management.
2. Navigate to IA Computers (Foxboro.Local > Invensys > IA Computers).
267
Figure G-15. GPO “SE Win10 Computer Security Compliance v1.0”
3. Right-click SE Win10 Computer Security Compliance v1.0 and select Edit.

The Group Policy Management Editor screen appears. Navigate to User Rights
Assignment as shown in Figure G-16.
268
Figure G-16. Group Policy Management Editor - User Rights Assignment
4. Right-click "Deny log on locally" and select Properties. The Deny log on locally
Properties dialog box appears. Select the Define these policy settings checkbox and
click Add User or Group... to add the "EFS Service" group, the group you created
earlier.
The “EFS Service” user group is added as shown in Figure G-17.
269
Figure G-17. Group Policy Management - Deny Log On Locally Properties Dialog Box
5. Click Apply. The “EFS Service” User Group is now listed in GPO as shown in
Figure G-18.
Figure G-18. “EFService” User Group Added
270
6. Repeat the steps 3 through 5 on GPO “SE Server 2016 Member Server Security Com-
pliance v1.0”.
NOTICE
POTENTIAL DATA LOSS
If you will install CS after installing EFS, then we highly recommend

that you follow the steps listed in “PDC has CCS v9.4 Installed” on
page 267, after you install CS.
Failure to follow these instructions can result in potential data

loss.
G.2.4.2 PDC Has a CCS Version Older Than V9.4 Installed

Repeat the steps 3 through 5 in “PDC has CCS v9.4 Installed” on page 267 on GPO “Invensys
IA Computers v1.0”.
NOTICE
POTENTIAL DATA LOSS
If you will install CS after installing EFS, then we highly recommend

that you follow the steps listed in “PDC has CCS v9.4 Installed” on
page 267, after you install CS.
Failure to follow these instructions can result in potential data

loss.
G.2.4.3 PDC Has CS Installed

1. Open Group Policy Management.
2. Navigate to IA Computers (Foxboro.Local > Invensys > IA Computers) and
select FCS Computers v2.0 as shown in Figure G-19.
271
Figure G-19. GPO “FCS Computers v2.0”
3. Right-click FCS Computers v2.0 and select Edit. The Group Policy Management
Editor screen appears. Navigate to User Rights Assignment as shown in
Figure G-20.
272
Figure G-20. Group Policy Management Editor - User Rights Assignment (CS)
4. Right-click "Deny log on locally" and select Properties. The Deny log on locally
Properties dialog box appears. Select the Define these policy settings checkbox and
click Add User or Group... to add the "EFS Service" group, the group you created
earlier.
The “EFS Service” user group is added as shown in Figure G-21.
273
Figure G-21. Group Policy Management - Deny Log On Locally Properties Dialog Box (CS)
5. Click Apply. The “EFS Service” User Group is now listed in GPO as shown in
Figure G-22.
Figure G-22. ”EFS Service” User Group Added
274
G.2.5 Update Group Policies on the Client Workstation

Perform a gpupdate/force on the PDC and the Client stations.
275

EFS Service Account Creation

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

EFS Service Account Creation

Încărcat de

Drepturi de autor:

Formate disponibile

Appendix G.

Figure G-7. Control Panel - User Accounts - Manage Accounts -

G.2 Create a New Service User in an Enterprise

G.2.1 Create a New User

Figure G-8. Creating a New User in the PDC

Figure G-9. New User Password

G.2.2 Create a New User Group Named “EFS Service”

Figure G-10. Select New > Group from the Menu

Figure G-12. EFS Service Created as a New Group

Figure G-13. EFS Service Properties Dialog Box

Figure G-14. New User Added to the List of Members

G.2.4 Add the Group Policy to Deny Interactive Login

G.2.4.1 PDC has CCS v9.4 Installed

Figure G-15. GPO “SE Win10 Computer Security Compliance v1.0”

3. Right-click SE Win10 Computer Security Compliance v1.0 and select Edit.

Figure G-16. Group Policy Management Editor - User Rights Assignment

Figure G-18. “EFService” User Group Added

If you will install CS after installing EFS, then we highly recommend

Failure to follow these instructions can result in potential data

G.2.4.2 PDC Has a CCS Version Older Than V9.4 Installed

If you will install CS after installing EFS, then we highly recommend

Failure to follow these instructions can result in potential data

G.2.4.3 PDC Has CS Installed

Figure G-19. GPO “FCS Computers v2.0”

Figure G-22. ”EFS Service” User Group Added

G.2.5 Update Group Policies on the Client Workstation

S-ar putea să vă placă și