Consequences of adding service accounts to the Administrators group RRS feed

  • Question

  • After adding a Windows 7 workstation to a Windows Server 2003 AD domain, after a couple of reboots, the workstation encountered the now-famous yet unresolved "Access Denied" error while starting the DHCP Client and Diagnostic Policy Services.  As has been described in several other threads, adding W7 or Vista workstations to a W2K3 domain can result in various services failing to start with that error, always involving those two services and, especially on Vista, several others.  Other symptoms of the problem include getting the message "The RPC server is unavailable" in various situations when trying to perform some remote operations on an affected workstation, such as running a remote resultant set of policy check on the workstation from another machine.  Even after removing an affected workstation from the domain, the problems persist.  Importing a fresh local security policy does not solve the problem.

    Various solutions to the problem have been proposed, including giving the Local Service and Network Service accounts on the local machine full access to the DHCP and TCPIP registry keys or to the entire Services key, moving the affected workstations to a separate organizational unit which blocks inheritance of the domain's group policy (thus making one wonder why Active Directory is useful for anything but primarily managing user accounts).  The only solution that worked in this situation (only to get DHCP running again; I'm still working on the Diagnostic Policy Service failure) was to add the local machine's Local Service and Network Service to the local Administrators group (they were not made administrators in the domain).

    Since this installation must be HIPAA compliant, I'm wondering what the security risks and consequences might be from taking that action.  I'll be grateful for any comments.

    Monday, May 2, 2011 6:34 AM