FIM 2010 R2: FIM Service or the FIM Synchronization Service Account does not have Deny Logon As Batch Job set

  • Article

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Forefront Identity Manager 2010 R2 Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Product

Forefront Identity Manager 2010 R2

Feature

FIM Synchronization Service

Operating System

Windows Server 2008 R2

Severity

Error

Category

Security

Issue

FIMService – Deny logon as a batch job is not set for the service account.

FIMSyncService – Deny logon as a batch job is not set for the service account.

Rule 109

Impact

FIMService – Some sensitive data may be exposed.

FIMSyncService – Some sensitive data may be exposed.

Resolution

FIMService – Please set Deny logon as a batch job to true for the service account.

FIMSyncService – Please set Deny logon as a batch job to true for the service account.

To set deny logon as batch job on a service account use the following procedure

To Deny logon as a batch job for the service accounts

  1. Log on to the server that has the FIM Service and/or the FIM Synchronization Service installed.

  2. Click Start, select Administrative Tools, and then click Local Security Policy. This will open the Local Security Policy MMC.

  3. In the Local Security Policy MMC, on the left, expand Local Policies, and then click User Rights Assignment.

  4. Scroll down and double-click Deny logon as batch job. This will open the Deny logon locally Properties window.

  5. Now, click Add User of Group. This will bring up the Select Users, Computers, Service Accounts, or Groups window.

  6. In the box, below Enter the object names to select (examples), type the name of service accounts and click Check Names: Click OK.

  7. On the Deny logon locally Properties screen, click Apply, and then click OK.

  8. Close the Local Security Policy.

Additional references

For more information, see the FIM 2010 R2 Deployment Guide (https://technet.microsoft.com/en-us/library/jj134310(v=ws.10))