<div>
You don't create accounts on Domain Controllers. You create them on the domain controlled by those domain controllers.<br />
Use ADUC to set-up the users. But before you do anything, make sure you know what you are doing. Looks like you need an AD crash course. So stop, do some reading and take some practice before you do anything.
</div>


<div>
What are you trying to do exactly?<br />
<br />

<ul>
<li>Install SEPM on a DC?</li>
<li>Install Symantec AV client on the DC?</li>
</ul>
<br />
If you're trying to install SEPM on a DC, I would not do this. Microsoft would not recommend it and neither do <a href="https://support.symantec.com/en_US/article.TECH162135.html" rel="ugc nofollow">Symantec</a>, as per the quote below.<br />
<br />

<blockquote>
Although SEPM can be installed on any Windows operating system that meets the system requirements, installing SEPM on a server with a critical role, such as a Domain Controller or Exchange server, is not recommended. SEPM provides only management functions, not system protection, and servers with critical roles are likely to need as much as possible of the computer's resources available.
</blockquote>
<br />
That said, AD does not have a local SAM database. So if you are trying to install SEPM on a DC, the local database for a DC is the Active Directory database, so you need to manually configure everything because I doubt SEPM can do what you need it to do. Follow the article <a href="https://support.symantec.com/en_US/article.TECH228988.html" rel="ugc">here</a>. You will need to modify one of your Domain Controller GPO's to give the logon as a service right to NT Service\semsrv. It may or may not resolve, I do not know. As I said I would not be installing this on a DC, I would give SEPM its own host...in fact I would install this on a workstation before I put it anywhere near a DC, but that's just me.<br />
<br />
If you're just installing the AV client, it won't require that semsrv account on the DC to the best of my knowledge.
</div>


<div>
@Learnctx &nbsp;Thanks for your reply<br />
I am not trying to install SEPM on a DC, I have installed it on a server in the domain. SEPM creates the service accounts on the server where it's installed with the Logon as a service user rights. &nbsp;My issue is that the default domain policy overwrites this so I need to add these service accounts to the Logon as a service policy in the default domain policy. I cannot add these service accounts to the Logon as a service policy in the default domain policy as they are not validated. &nbsp;This is my reason for asking about the process of creating service accounts.<br />
<br />
@ferrarista Please don't reply to this thread.<br />
<br />
Thanks
</div>


<div>
Thanks. This is the information that I needed and it resolved my issue.
</div>


<div>
<div class="content wysiwyg-content">
Hello,<br />
<br />
I need to create several service accounts on my Active Directory Domain controller. I am a domain admin. <br />
The OS is Windows 2012 r2 Standard..<br />
Each account is in the form of an NT SERVICE account. Here is an example of one of them; &nbsp;<b>NT SERVICE\semsrv</b><br />
After I create these accounts, I want to add them to the <b>Log on as a service</b> policy using Group Policy Management. <br />
<a href="https://filedb.experts-exchange.com/incoming/2017/12_w49/1213553/service_accounts.png" target="_blank" title="service_accounts.png (138 KB)"><img alt="service_accounts.png" class="file-block lazyload" style="max-width: 555px;" data-src="https://filedb.experts-exchange.com/incoming/2017/12_w49/1213553/service_accounts.png" /></a><br />
How and where do I create my NT SERVICE accounts on my Domain Controller?<br />
<br />
Thanks for your help.
</div>
</div>


service_accounts.png

Hello,

I need to create several service accounts on my Active Directory Domain controller. I am a domain admin. 
The OS is Windows 2012 r2 Standard..
Each account is in the form of an NT SERVICE account. Here is an example of one of them;  NT SERVICE\semsrv
After I create these accounts, I want to add them to the Log on as a service policy using Group Policy Management. 


How and where do I create my NT SERVICE accounts on my Domain Controller?

Thanks for your help.

How do I create a service account on my Active Directory Domain controller?

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.