?
Solved

Changing RPC Service to use "NT Authority\Network Service" account

Posted on 2007-08-08
8
Medium Priority
?
1,876 Views
Last Modified: 2012-08-13
While troubleshooting a Windows 2003 Server (R2) domain controller issue, part of the solution was to change the "Log on" for the RPC service from "NT Authority\Network Service" account to the "Local System" account. This allowed me to get all the services running again and make all the necessary changes to allow the DC to function properly. The problem appeared after applying the KB935966 RPC patch and rebooting the domain controller, so I've backed out the patch.

Does anyone know of a way to switch the "Log on" for the RPC service back to "NT Authority\Network Service" account? When I go into the service properties now, the ability to change the "Log on" is completely grayed out.

I've search Google and pages of stuff here, but haven't found a reference to this particular problem. How critical is making this change back to the "Network Service" account? Microsoft obviously thought it was better for security, so I'd like to make sure this is configured properly before attempting to re-apply the patch.
0
Comment
Question by:Doraevon
  • 5
  • 3
8 Comments
 
LVL 5

Expert Comment

by:RightNL
ID: 19654331
since it 's a dc i wouldn't really care since the local system is a NT AUTHORITY in it's dc role.

On all of our DC's (we have 100+) it's set to Network Service.

Leave it .. in this case if it aint broken don't fix it!!
0
 

Author Comment

by:Doraevon
ID: 19654676
Thanks. Since using the "Local System" account was the pre-SP1 way that the RPC Service was set up, I think things will work okay.

The problem (if it's really a problem) is that prior to my patch issue, the RPC Service WAS running with the "Network Service" account. To help resolve the problem, it let me change the "Log On as" to the "Local System" account, but it won't let me change it back to the "Network Service" account.

I'm absolutely 100% behind the "if it ain't broke..." philosophy -- especially with a DC. But I just want to be sure that I'm not opening myself up to a serious security problem by leaving the RPC Service running with the "Local System" account. Microsoft had a reason for changing to the "Network Service" account for RPC and I want to make sure I'm not messing up future updates/patches by leaving it set to "Local System" account.
0
 
LVL 5

Accepted Solution

by:
RightNL earned 1500 total points
ID: 19654719
it's strange .. because I have the ability to change it to a local system account.. ;o)

try to reinstall the SP2 ;o) it will work.. or I do think there is a post SP2 RPC patch we needed this one.

I think it's KBKB908521 or it might be 903651
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:Doraevon
ID: 19654936
One of the things I discovered is that the Domain Controller Security Policy for "Impersonate a client after authentication" (located in the User Rights Assignment section of Local Policy) did not have the SERVICE group or the Administrators group. As a result, RPC (running as "Network Service") would start, but other services couldn't communicate with RPC because of the missing entries in the policy.

Because this is the primary DC (with all the FSMO roles) and several services weren't starting up, I couldn't even edit the policy while this situation continued. That's why I changed RCP Service to run as "Local System", which allowed me to edit the policy and add the SERVICE and Administrator groups to the policy.

Maybe I should just try to re-apply the patch again now that I've got the group policy setting fixed.

Ahh... the joys of System Administration...   ;-)

I still wish I could find a way to directly set the RCP Service back to "Network Service" account... but sometimes we just don't get things our way... do we?  ;-)
0
 

Author Comment

by:Doraevon
ID: 19661269
Does anyone have any idea how to change the "Log on as..." for the RPC Service back to the "Network Service" account? As noted in previous posts, this cannot be done in the normal way by just going to the "Log on" tab in the Properties -- everything is grayed out.  I really don't want to re-apply service packs just to fix this one problem, but if that's the only way to make the change...  such is life.
0
 
LVL 5

Expert Comment

by:RightNL
ID: 19661286
I would re-apply the fix. it's probably the only way.. I have had these kind of stuff.. with installing service packs and hotfixes were removed etc etc.. It takes you days to f%#k around and at the end of the day just re-applying is a lot faster and does the same.

0
 

Author Comment

by:Doraevon
ID: 19661560
Thanks RightNL -- I'll give that a try in the next day or two. I'm in the middle of migrating from Exchange 2000 to Exchange 2003 right now, so I don't want to mess with the DC just now...  ;-)
0
 

Author Comment

by:Doraevon
ID: 19681244
The fix was to re-apply SP2. Just re-applying the single patch didn't change the "Log On" credentials for the RPC Service, but re-running SP2 fixed it.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question