none
Server GPO granting "log on as service" is deleting existing accounts if they already exist

    Question

  • I have some GPOs that I apply to all my servers, one of which sets up a few global service accounts with the "Logon as a Service" right.  The problem is that if I apply this GPO to a server that already has custom entries in there (like any SQL Server with the "NT SERVER\*" accounts) those existing entries are deleted when the GPO is applied.

    I need the GPO to simply ADD the names of my service accounts without deleting whatever is there.

    I read about "loop-back" processing and "merge vs replace" but this appears to only affect "User Configuration".  The GPO setting in question is under Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.

    Like I said, my current show-stopping issue is my SQL servers, which all have server-specific accounts that have been granted the "log on as service" rights during the installation of SQL Server.  If I apply this policy, SQL Server services are no longer able to start on the server.  Obviously I can't add server-specific accounts to my GPO--the list would become unmanageable almost immediately.

    How do I make this policy ADDITIVE instead of DESTRUCTIVE?  Any ideas would be appreciated!

    Friday, August 28, 2015 9:01 PM

All replies

  • Hi,
     
    It's true that doing this with GPO will overwrite existing accounts with the privilege.
     
    Instead of configuring this with GPO, I have seen some users reported that they managed to append the account list with NTRights utility from a command prompt. You might have a try and see if it works for you.
     
    For example:
     
    ntrights.exe +r SeServiceLogonRight -u domain\account (https://support.microsoft.com/en-us/kb/279664)
     
    You can then easily integrate this with some scripts for your specific deployment environment. Not sure what version of the server you are using, this utility is included in Windows Server 2003 Resource Kit Tools, but it also works well on Windows Server 2008 as reported.
     
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, September 02, 2015 7:13 AM
    Moderator
  • Unfortunately, I don't consider that a good answer AT ALL.  I have over 100 servers to manage, and the last thing I need is to implement a kludgey batch file or some other semi-manual process, and somehow figure out another kludgey way to apply that to just a few servers...  I am trying to DECREASE my management burden, not INCREASE IT!!!

    To not have the flexibility to append/overwrite/reset from the GPM console is disappointing to say the least.

    I tried re-applying the changes locally, but predictably the GPO stomped them out again. 

    I did NOT want to have to add something to my master GPO that is just for a few servers, but it appears I am stuck doing just that.  So far, it's only my SQL Services that use NT SERVICE accounts to login.  So I resolved the issue by adding "NT SERVICE\ALL SERVICES" to my GPO.  This is not a good answer either, but it is evidently the lesser of evils, if your response is truly the only other Microsoft-approved resolution...

    Tuesday, September 08, 2015 11:39 PM
  • We have met the same issue before, what we do is what Ethan suggested, using ntrights.exe to grant the permission. It will extend, not replace your existing list.

    Tuesday, September 15, 2015 2:09 AM