Hi, I'm a DBA installing SQL Server 2012. SQL Server setup is creating service SIDs (e.g., NT SERVICE\MSSQLSERVER, NT SERVICE\MsDtsServer110, etc.) and granting them rights (e.g., SeServiceLogonRight, SeAssignPrimaryTokenPrivilege, etc.).
Our GPO is removing rights from the service SIDs created by SQL setup. We have been unable to add a service SID to GPO. I think there is an error that the account does not exist. We can add just the name (e.g., MSSQLSERVER, MsDtsServer110, etc.), but this does not seem to work as rights on the service SID are still removed.
We did add NT SERVICE\ALL SERVICES (no error) and grant it SeServiceLogonRight. I think this covers all service SIDs. This appears to be working; however, I’m reluctant to grant some of the other rights to all services using service SIDs.
Are only “well known” service SID values valid in GPO? Is there any way to add a service SID such as "NT SERVICE\MsDtsServer110" into GPO? Is there a best practice for handling service SIDs and group policy?
Thanks.
Randy in Marin