Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, September 2, 2015 3:09 PM
I am almost finished with the exhaustive summer task of transitioning a Server 2003 network with four servers, SQL 2005, and Exchange 2003 to Server 2012, Exchange 2013 and 2014. There's been no end of undocumented bugs and glitches along the way. However, it seems that Microsoft has saved the best for last.
The final task is getting WSUS set up. As per usual, what should have been a straightforward role installation has run into an undocumented brick wall that was inevitable. (If it happens on a fresh install of Server 2012, you KNOW that they didn't beta-test it.)
I found a third party description of the EXACT problem that I'm having, along with the solution:
The solution is to add the "log on as a service" right to NT SERVICE\ALL SERVICES in the group policy management console. The author provides nice illustrations of the steps to take.
Here's where my frustrations really peak. This is HIS Server 2012 (not R2) group policy management console:
And this is MY Server 2012 group policy management console:
No "user rights assignment" section. There's a "delegation" tab, but you can't add NT SERVICE\ALL SERVICES to it -- you get "not found" for both the local machine and the domain. Can anybody tell me how to accomplish what the author accomplished using the limited group policy console I have or a powershell script?
All replies (8)
Thursday, September 3, 2015 6:40 AM ✅Answered | 1 vote
In the left pane, right click the GPO you want to edit and select edit. Drill down to Computer Configuration>Windows Settings>Security Settings>Local Polices>User Rights Assignment. You find Log on as a service in the right pane.
Thursday, September 3, 2015 8:12 AM ✅Answered | 3 votes
No "user rights assignment" section. There's a "delegation" tab, but you can't add NT SERVICE\ALL SERVICES to it --
You are currently on the Group Policy Management Console, you will have to open Group Policy Management Editor to edit/configure a policy setting.
As mentioned by Joey above, you just right click on the GPO you'd like to edit, then select "Edit".
Regards,
Ethan Hua
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com
Thursday, September 3, 2015 9:45 PM ✅Answered
I talked to Microsoft Technical Support, and found out what the problem was. I was trying to install it on a domain controller, and that's a no-no.
https://technet.microsoft.com/en-us/library/ff646928(v=ws.10).aspx
You'd almost think that they'd make it IMPOSSIBLE to ATTEMPT to install it on a domain controller with a warning message, and avoid the white papers, user frustration and service calls, but that would take an extra 10 minutes of programming.
Wednesday, September 2, 2015 9:19 PM | 8 votes
When you define the settings for Log on as a service and you click Add User or Group, simply Type NT SERVICE\ALL SERVICES in the User and group names box. Don't click browse. When you apply the policy to the server it will apply it just as you defined.
Wednesday, September 2, 2015 10:36 PM
The question is where DO you define the settings for log on as a service in the group policy management console I have to work with.
Thursday, September 3, 2015 12:22 PM
Thanks. I had gotten to this point by using the group policy snap-in for MMC, but it's nice to know that server manager allows complete access.
Unfortunately, my bigger problem (see the link in my first message) persists -- NT Service\MSSQL$SQLEXPRESS still will not log in as a service with both it and NT Service\ALL SERVICES added to the log on as a service properties.
Monday, February 24, 2020 8:42 PM
Damned it...Thanks! This was the answer I was looking for. Create the GPO modification on the computer with those accounts on the local machine. Initially I thought that kind of fat fingering would end up with servername\iis apppool * to the GPO. But nope, it keeps the names all proper. Thanks! Aggravating.
Wednesday, March 4, 2020 7:32 PM | 1 vote
Ok, I've solved this the following way. None of the information above was true for me. You couldn't add local groups, you couldn't just not hit "browse", nothing worked. This way worked 100% as expected, and I hope someone marks it as the answer. The not doing it on a Domain controller actually did have the problem I expected that you get this long SID that's only recognized on the servers where it is the same exact SID, which I haven't found one that worked that way in a SharePoint farm.
The Solution is two fold.
1. You must go to the Computer's Policy "Preference" tab, scroll down to Local Users and Groups, and Add a group, I left no spaces out of habit, but I took "LogonAsaService" and created it as an empty group, with UPDATE as the action (Not replace, or remove).
2. Go to the Local Rights assignment area, and find the 'Log on as a Service' right, and add 'LogonAsaService", and click OK.
Then do a GPUPDate /Force on a computer receiving that policy, you will find that the group is now given the permissions in the Local Rights Assignment area, the group now appears as an empty group in Local Users and Groups, AND you can edit that group locally as it's not overriding the local accounts already in there.
Hope this helps someone.