Solved

How can I Remove an Account from "Log on as a service" Local Security Settings?

Posted on 2014-12-19
7
248 Views
Last Modified: 2014-12-24
I am having an issue with a service account that has been granted Log on as a service access. I'd like to remove the sp_admin account seen in the attached screenshot from the Log on as a service. However, the option to remove the account is greyed out.
Log on as a service
With Server 2003 you could revoke Log on as a service access utilizing NTRights.exe, but I haven't been able to locate the PowerShell equivalent.

BACKGROUND: The account in question is the SharePoint installation service account for my SharePoint 2013 farm. I'm guessing at some point in my SharePoint installation it was added to Log on as a service. I did not add it myself. I did create  "Service Rights" group for my SharePoint farm, search, and crawl accounts as per best practice.

PROBLEM: This service account keeps registering itself as the logon account for the AppFabricCaching Service, regardless of how many times I set the service to use the farm account instead.

EXAMPLE: I set the AppFabricCachingService RunAs account following Microsoft guidelines (source).
sc.exe config AppFabricCachingService obj= domain\sp_farm password= *********

Open in new window


TROUBLESHOOTING: I've verified running a gpresult that this isn't being set by a group policy. I've also insured that I was logged in a local administrator and even a domain administrator - yet I still don't have the option to remove this account. I have found several PowerShell scripts online that allow you to set an account to Log on as a service, but I haven't found anything that lets you remove an account.
0
Comment
Question by:Brad Groux
  • 4
  • 3
7 Comments
 
LVL 14

Author Comment

by:Brad Groux
ID: 40509886
Sorry, I meant to put that I've tried that as well. No-go launching Local Security Policy editor as an administrator either.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40509891
Have you looked at rsop.msc to see if there is a "Source GPO" for that setting ??
0
 
LVL 14

Author Comment

by:Brad Groux
ID: 40509904
Yup, I've done a rsop and gpresult and scoured everything - and there is no mention of that service account anywhere, it is really strange. gpresult and RSOP both show that only NT SERVICE\ALL SERVICES and my ServiceRights group are being applied via GPO - it isn't a GPO doing it (see screenshot).
D--Temp-ServiceRights.png
It is a 4-node SharePoint farm, and this install account has this access on only one server (the one running Distributed Cache), and it is the primary server - so I ran the PowerShell install and configuration scripts from it. I'm guessing this admin account was added during one of those installs.

I even changed the Run As account to NT AUTHORITY\NETWORK SERVICE and it switched back to admin.

sc.exe config AppFabricCachingService obj= "NT AUTHORITY\NETWORK SERVICE"

Open in new window


I'd really just like to know HOW to remove this from a Login as a service... I find it baffling that I could do so in 2003, but not 2012.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40509990
Have you tried first stopping the AppFabricCachingService, running the "sc.exe config " and then starting the service ??
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40509996
It could also be a problem with special characters in the password

http://stackoverflow.com/questions/14408973/using-sc-exe-to-set-service-credentials-password-failing
0
 
LVL 14

Accepted Solution

by:
Brad Groux earned 0 total points
ID: 40510020
I tried with a simple password and complex password - but I figured it out.

I was able to download the Windows Server 2003 Resource Kit Tools, and extract the EXE with 7-Zip, then I was able to extract the MSI with 7-Zip and pull out the ntrights.exe file and run the following command:

ntrights -r SeServiceLogonRight -u "domain\sp_admin"

Open in new window


So, I found a work-around - but I'd really like to know the 2012 equivalent! Apparently,  you can use the PowerShell Community Extensions, but nothing "official" from Microsoft?
0
 
LVL 14

Author Closing Comment

by:Brad Groux
ID: 40516258
Found a work-around myself.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now