Changing RPC Service to use "NT Authority\Network Service" account

since it 's a dc i wouldn't really care since the local system is a NT AUTHORITY in it's dc role.

On all of our DC's (we have 100+) it's set to Network Service.

Leave it .. in this case if it aint broken don't fix it!!

Thanks. Since using the "Local System" account was the pre-SP1 way that the RPC Service was set up, I think things will work okay.

The problem (if it's really a problem) is that prior to my patch issue, the RPC Service WAS running with the "Network Service" account. To help resolve the problem, it let me change the "Log On as" to the "Local System" account, but it won't let me change it back to the "Network Service" account.

I'm absolutely 100% behind the "if it ain't broke..." philosophy -- especially with a DC. But I just want to be sure that I'm not opening myself up to a serious security problem by leaving the RPC Service running with the "Local System" account. Microsoft had a reason for changing to the "Network Service" account for RPC and I want to make sure I'm not messing up future updates/patches by leaving it set to "Local System" account.

One of the things I discovered is that the Domain Controller Security Policy for "Impersonate a client after authentication" (located in the User Rights Assignment section of Local Policy) did not have the SERVICE group or the Administrators group. As a result, RPC (running as "Network Service") would start, but other services couldn't communicate with RPC because of the missing entries in the policy.

Because this is the primary DC (with all the FSMO roles) and several services weren't starting up, I couldn't even edit the policy while this situation continued. That's why I changed RCP Service to run as "Local System", which allowed me to edit the policy and add the SERVICE and Administrator groups to the policy.

Maybe I should just try to re-apply the patch again now that I've got the group policy setting fixed.

Ahh... the joys of System Administration...   ;-)

I still wish I could find a way to directly set the RCP Service back to "Network Service" account... but sometimes we just don't get things our way... do we?  ;-)

Does anyone have any idea how to change the "Log on as..." for the RPC Service back to the "Network Service" account? As noted in previous posts, this cannot be done in the normal way by just going to the "Log on" tab in the Properties -- everything is grayed out.  I really don't want to re-apply service packs just to fix this one problem, but if that's the only way to make the change...  such is life.

I would re-apply the fix. it's probably the only way.. I have had these kind of stuff.. with installing service packs and hotfixes were removed etc etc.. It takes you days to f%#k around and at the end of the day just re-applying is a lot faster and does the same.

Thanks RightNL -- I'll give that a try in the next day or two. I'm in the middle of migrating from Exchange 2000 to Exchange 2003 right now, so I don't want to mess with the DC just now...  ;-)

The fix was to re-apply SP2. Just re-applying the single patch didn't change the "Log On" credentials for the RPC Service, but re-running SP2 fixed it.