Where can I get a comprehensive list of changes SharePoint 2010 and 2013 (implemented with least-priveleged security model) make to local security policies? I have only been able to find bits and pieces of this important info from non-Microsoft sources. I need the details to prevent GPO from disabling or modifying access to needed groups and permissions (and breaking things).
Through experience and what I've researched, the IIS_IUSRS local users group needs "Impersonate a Client After Authentication," and at least some service accounts need "Allow log on locally," "Log on as a service" and "Log on as a batch job." Is this correct and if so...which accounts need which permissions? Are there others?
Thanks in advance!