Charlie_Melega
asked on
How do I create a service account on my Active Directory Domain controller?
Hello,
I need to create several service accounts on my Active Directory Domain controller. I am a domain admin.
The OS is Windows 2012 r2 Standard..
Each account is in the form of an NT SERVICE account. Here is an example of one of them; NT SERVICE\semsrv
After I create these accounts, I want to add them to the Log on as a service policy using Group Policy Management.
How and where do I create my NT SERVICE accounts on my Domain Controller?
Thanks for your help.
I need to create several service accounts on my Active Directory Domain controller. I am a domain admin.
The OS is Windows 2012 r2 Standard..
Each account is in the form of an NT SERVICE account. Here is an example of one of them; NT SERVICE\semsrv
After I create these accounts, I want to add them to the Log on as a service policy using Group Policy Management.
How and where do I create my NT SERVICE accounts on my Domain Controller?
Thanks for your help.
What are you trying to do exactly?
If you're trying to install SEPM on a DC, I would not do this. Microsoft would not recommend it and neither do Symantec, as per the quote below.
That said, AD does not have a local SAM database. So if you are trying to install SEPM on a DC, the local database for a DC is the Active Directory database, so you need to manually configure everything because I doubt SEPM can do what you need it to do. Follow the article here. You will need to modify one of your Domain Controller GPO's to give the logon as a service right to NT Service\semsrv. It may or may not resolve, I do not know. As I said I would not be installing this on a DC, I would give SEPM its own host...in fact I would install this on a workstation before I put it anywhere near a DC, but that's just me.
If you're just installing the AV client, it won't require that semsrv account on the DC to the best of my knowledge.
- Install SEPM on a DC?
- Install Symantec AV client on the DC?
If you're trying to install SEPM on a DC, I would not do this. Microsoft would not recommend it and neither do Symantec, as per the quote below.
Although SEPM can be installed on any Windows operating system that meets the system requirements, installing SEPM on a server with a critical role, such as a Domain Controller or Exchange server, is not recommended. SEPM provides only management functions, not system protection, and servers with critical roles are likely to need as much as possible of the computer's resources available.
That said, AD does not have a local SAM database. So if you are trying to install SEPM on a DC, the local database for a DC is the Active Directory database, so you need to manually configure everything because I doubt SEPM can do what you need it to do. Follow the article here. You will need to modify one of your Domain Controller GPO's to give the logon as a service right to NT Service\semsrv. It may or may not resolve, I do not know. As I said I would not be installing this on a DC, I would give SEPM its own host...in fact I would install this on a workstation before I put it anywhere near a DC, but that's just me.
If you're just installing the AV client, it won't require that semsrv account on the DC to the best of my knowledge.
ASKER
@Learnctx Thanks for your reply
I am not trying to install SEPM on a DC, I have installed it on a server in the domain. SEPM creates the service accounts on the server where it's installed with the Logon as a service user rights. My issue is that the default domain policy overwrites this so I need to add these service accounts to the Logon as a service policy in the default domain policy. I cannot add these service accounts to the Logon as a service policy in the default domain policy as they are not validated. This is my reason for asking about the process of creating service accounts.
@ferrarista Please don't reply to this thread.
Thanks
I am not trying to install SEPM on a DC, I have installed it on a server in the domain. SEPM creates the service accounts on the server where it's installed with the Logon as a service user rights. My issue is that the default domain policy overwrites this so I need to add these service accounts to the Logon as a service policy in the default domain policy. I cannot add these service accounts to the Logon as a service policy in the default domain policy as they are not validated. This is my reason for asking about the process of creating service accounts.
@ferrarista Please don't reply to this thread.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. This is the information that I needed and it resolved my issue.
Use ADUC to set-up the users. But before you do anything, make sure you know what you are doing. Looks like you need an AD crash course. So stop, do some reading and take some practice before you do anything.