Skip to content

User Rights Assignment Log On As A Service

Thanks for the links, Chris. I've often wondered about the specific effects of privileges like "BypassTraverseChecking" but never bothered to look them up.

I was having interesting problems getting a service to run and discovered that it didn't have access to it's files after the initial installation had been done by the administrator. I was thinking it needed something in addition to Logon As A Service until I found the file issue.

1) Disabled simple file sharing. 2) Temporarily made my service account an administrator. 3) Used the service account to take ownership of the files. 4) Remove service account from the administrators group. 5) Reboot.

During Take Ownership, it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree.

Wasn't able to find a "give ownership" option to avoid making the service account an administrator temporarily, though.

Anyway, thought I'd post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights.

answered Jan 5 '10 at 2:28

During the installation of windows vCenter 6.0 be it a Platform Services Controller or  vCenter Server machine, at the very beginning of installation one might encounter a pop-up warning stating that: The user group “NT SERVICE/ALL SERVICES” does not have a log on as a service user right as shown below:

Windows vCenter 6.0 Install Error

In an effort to increase the security of the vCenter Server, starting from vSphere 6.0 VMware has replaced the use of local service account in vCenter Server with multiple virtual account. In simple terms a virtual account for every service which would limit the vulnerability to a particular service in the event of a particular account being compromised. For more information Please refer to VMmware KB 2124709.

But how do we assign that user right ?

Assuming that vCenter is a member of a domain, the answer would be to edit the group policy on domain controller and update it. Let’s see how it is done.

  1. First login to the DC machine
  2. Open RUN and type mmc and press enter
  3. I would open a console, click on Add or Remove snap-in from the File menu
  4. In Add or Remove snap-in window, select Group Policy Management Editor, click add.
  5. Click browse on the group policy wizard and select Default domain Policy, click OK.
  6. Click Finish and then OK.
    Edit Domain Group Policy

  7. Go to Default Domain Policy>Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignments.
    Edit “Log on as a service”

  8. Right Click on Log on as a service, Select properties.
  9. In the properties window, select Define these policy settings check box and click on Add User or Group button.
  10. Type NT SERVICE/ALL SERVICES and click OK.
    Add “NT Services/All Services”

  11. Now go to command prompt and type gpupdate/force to update the policy.
  12. Also enforce the updated group policy on the proposed vCenter machine too by performing gpupdate/force over command prompt.

That’s all

Note: vCenter would also requires log on as a service user right for the account that would be used for vcenter installation as well as the SYSTEM, etc,. 

 

Useful Resources:
1.  http://blogs.technet.com/b/canitpro/archive/2013/05/23/windows-server-2012-and-group-policy.aspx

2.  http://me.go-unified.com/ssign-log-on-as-a-service-user-rights-to-a-local-system-account-via-gpo-using-wmi-filters/

3.  http://www.itcrumbs.com/?p=265

 

This entry was posted in Home, VMware, vSphere6 and tagged NT SERVICE, vCenter6. Bookmark the permalink.