none
GPO policy item stops cluster services from starting

    Question

  •  2-node multi-subnet W2016 failover cluster running SQL2016

    GPO  policy is applied  - policy item  “Deny access to this computer from the network” has “NT AUTHORITY\Local account and BUILTIN\Guests” listed in the setting.

    W2016 cluster services will not start with this policy item in place
     After removing “NT AUTHORITY\Local account” from this setting the Cluster Service started successfully.

    Is this expected behaviour?

    Is there a modification we can make to the policy setting that will retain the setting to deny local accounts but enable cluster services to start?

    Is there an option to use a domain service account to run cluster services on W2016 instead of CLIUSR?
    Wednesday, April 17, 2019 2:41 PM

All replies

  • Hi,

    Thanks for posting in our forum!

    1. We should not make any changes to this strategy, which will affect the normal operation of our cluster.

    2. NO, we cannot modify policy settings.

    3. NO, we should use CLIUSER to run cluster services on W2016 ?

    Hope this information can help you, if you have any question, please feel free to let me know.

    Best Regards,

    Daniel


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 18, 2019 8:49 AM
    Moderator
  • Hi,
    Just want to confirm the current situations.
    Please feel free to let us know if you need further assistance.
    Best Regards,
    Daniel

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 22, 2019 6:52 AM
    Moderator
  • Hi,
    This is Daniel and wish you all the best!
    Since you have not responded for a long time, we will temporarily archive this post.
    If the reply helped you, please remember to mark it as an answer.
    If you have any questions, please do not hesitate to contact us.
    Best Regards,
    Daniel

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 24, 2019 7:27 AM
    Moderator