How can I Remove an Account from "Log on as a service" Local Security Settings?
I am having an issue with a service account that has been granted Log on as a service access. I'd like to remove the sp_admin account seen in the attached screenshot from the Log on as a service. However, the option to remove the account is greyed out.
With Server 2003 you could revoke Log on as a service access utilizing NTRights.exe, but I haven't been able to locate the PowerShell equivalent.
BACKGROUND: The account in question is the SharePoint installation service account for my SharePoint 2013 farm. I'm guessing at some point in my SharePoint installation it was added to Log on as a service. I did not add it myself. I did create "Service Rights" group for my SharePoint farm, search, and crawl accounts as per best practice.
PROBLEM: This service account keeps registering itself as the logon account for the AppFabricCaching Service, regardless of how many times I set the service to use the farm account instead.
EXAMPLE: I set the AppFabricCachingService RunAs account following Microsoft guidelines (source).
TROUBLESHOOTING: I've verified running a gpresult that this isn't being set by a group policy. I've also insured that I was logged in a local administrator and even a domain administrator - yet I still don't have the option to remove this account. I have found several PowerShell scripts online that allow you to set an account to Log on as a service, but I haven't found anything that lets you remove an account.
With Server 2003 you could revoke Log on as a service access utilizing NTRights.exe, but I haven't been able to locate the PowerShell equivalent.
BACKGROUND: The account in question is the SharePoint installation service account for my SharePoint 2013 farm. I'm guessing at some point in my SharePoint installation it was added to Log on as a service. I did not add it myself. I did create "Service Rights" group for my SharePoint farm, search, and crawl accounts as per best practice.
PROBLEM: This service account keeps registering itself as the logon account for the AppFabricCaching Service, regardless of how many times I set the service to use the farm account instead.
EXAMPLE: I set the AppFabricCachingService RunAs account following Microsoft guidelines (source).
sc.exe config AppFabricCachingService obj= domain\sp_farm password= *********TROUBLESHOOTING: I've verified running a gpresult that this isn't being set by a group policy. I've also insured that I was logged in a local administrator and even a domain administrator - yet I still don't have the option to remove this account. I have found several PowerShell scripts online that allow you to set an account to Log on as a service, but I haven't found anything that lets you remove an account.
Have you looked at rsop.msc to see if there is a "Source GPO" for that setting ??
ASKER
Yup, I've done a rsop and gpresult and scoured everything - and there is no mention of that service account anywhere, it is really strange. gpresult and RSOP both show that only NT SERVICE\ALL SERVICES and my ServiceRights group are being applied via GPO - it isn't a GPO doing it (see screenshot).
It is a 4-node SharePoint farm, and this install account has this access on only one server (the one running Distributed Cache), and it is the primary server - so I ran the PowerShell install and configuration scripts from it. I'm guessing this admin account was added during one of those installs.
I even changed the Run As account to NT AUTHORITY\NETWORK SERVICE and it switched back to admin.
I'd really just like to know HOW to remove this from a Login as a service... I find it baffling that I could do so in 2003, but not 2012.
It is a 4-node SharePoint farm, and this install account has this access on only one server (the one running Distributed Cache), and it is the primary server - so I ran the PowerShell install and configuration scripts from it. I'm guessing this admin account was added during one of those installs.
I even changed the Run As account to NT AUTHORITY\NETWORK SERVICE and it switched back to admin.
sc.exe config AppFabricCachingService obj= "NT AUTHORITY\NETWORK SERVICE"I'd really just like to know HOW to remove this from a Login as a service... I find it baffling that I could do so in 2003, but not 2012.
Have you tried first stopping the AppFabricCachingService, running the "sc.exe config " and then starting the service ??
It could also be a problem with special characters in the password
http://stackoverflow.com/questions/14408973/using-sc-exe-to-set-service-credentials-password-failing
http://stackoverflow.com/questions/14408973/using-sc-exe-to-set-service-credentials-password-failing
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found a work-around myself.
ASKER