none
Add an NT Service Account or SID to Active Directory GPO

    Question

  • I am installing and STIG'ing SQL Server 2012 on a Windows 2012 R2 Server.  The default install (and the configuration called for in the DISA STIG: SV-53422r3_rule) configures the SQL Server Service and SQL Agent Service to each run under a dedicated NT SERVICE account.  This is great, except we have long since locked down User Rights Assignments via GPO for compliance with the Windows Server STIGS and since GPOs trump Local Security configuration, these accounts do not have the correct rights.  In order to allow these service accounts the required privileges I now need to create a GPO to override those settings and specifically include the NT SERVICE accounts for the SQL Server Service and the SQL Agent Service.  And this is where I am hitting a wall.  In the Group Policy Management Console, I cannot assign rights to an account with "NT SERVICE\MSSQLSERVER".  I receive the error: The following accounts could not be validated: NT SERVICE\MSSQLSERVER. 

    I have tried adding the SID directly but have had no luck here either.  I can enter and it is accepted; but, it does not grant the required rights on the server.  I suspect it's not actually mapping to the user account.

    In looking for answer, I did find this two and a half year old thread; but, it provides no answers.  I cannot even implement the workaround as my domain controllers are not at 2008R2 and so I cannot use the NT SERVICE\ALL SERVICE account (also cannot be validated).  And this ignores the permissions creep which this creates on the server (the whole point of having dedicated service accounts). 

    So, I guess I'm looking to answer at least one of two questions: 

    1. How can I add an NT SERVICE account from my SQL to an Active Directory GPO?

    2. Is there any way to use a SID directly when creating a GPO?

    Wednesday, December 09, 2015 3:47 PM

Answers

  • > Agent Service.  And this is where I am hitting a wall.  In the Group
    > Policy Management Console, I cannot assign rights to an account with "NT
    > SERVICE\MSSQLSERVER".  I receive the error: The following accounts could
    > not be validated: NT SERVICE\MSSQLSERVER.
     
    Do that on the SQL server - and in the object picker, chose the local
    server :)
     
     
    • Marked as answer by John-NewGUID Wednesday, December 09, 2015 8:31 PM
    Wednesday, December 09, 2015 4:10 PM

All replies

  • > Agent Service.  And this is where I am hitting a wall.  In the Group
    > Policy Management Console, I cannot assign rights to an account with "NT
    > SERVICE\MSSQLSERVER".  I receive the error: The following accounts could
    > not be validated: NT SERVICE\MSSQLSERVER.
     
    Do that on the SQL server - and in the object picker, chose the local
    server :)
     
     
    • Marked as answer by John-NewGUID Wednesday, December 09, 2015 8:31 PM
    Wednesday, December 09, 2015 4:10 PM
  • This ended up working, just had to unroll our Active Directory security configuration long enough to log on to the SQL Server as a domain admin.  Not ideal; but, got the job done.  Thanks.
    Wednesday, December 09, 2015 8:33 PM