How do I create a service account on my Active Directory Domain controller?

Charlie_Melega used Ask the Experts™

I need to create several service accounts on my Active Directory Domain controller. I am a domain admin.
The OS is Windows 2012 r2 Standard..
Each account is in the form of an NT SERVICE account. Here is an example of one of them;  NT SERVICE\semsrv
After I create these accounts, I want to add them to the Log on as a service policy using Group Policy Management.
How and where do I create my NT SERVICE accounts on my Domain Controller?

Thanks for your help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You don't create accounts on Domain Controllers. You create them on the domain controlled by those domain controllers.
Use ADUC to set-up the users. But before you do anything, make sure you know what you are doing. Looks like you need an AD crash course. So stop, do some reading and take some practice before you do anything.
What are you trying to do exactly?

  • Install SEPM on a DC?
  • Install Symantec AV client on the DC?

If you're trying to install SEPM on a DC, I would not do this. Microsoft would not recommend it and neither do Symantec, as per the quote below.

Although SEPM can be installed on any Windows operating system that meets the system requirements, installing SEPM on a server with a critical role, such as a Domain Controller or Exchange server, is not recommended. SEPM provides only management functions, not system protection, and servers with critical roles are likely to need as much as possible of the computer's resources available.

That said, AD does not have a local SAM database. So if you are trying to install SEPM on a DC, the local database for a DC is the Active Directory database, so you need to manually configure everything because I doubt SEPM can do what you need it to do. Follow the article here. You will need to modify one of your Domain Controller GPO's to give the logon as a service right to NT Service\semsrv. It may or may not resolve, I do not know. As I said I would not be installing this on a DC, I would give SEPM its own fact I would install this on a workstation before I put it anywhere near a DC, but that's just me.

If you're just installing the AV client, it won't require that semsrv account on the DC to the best of my knowledge.


@Learnctx  Thanks for your reply
I am not trying to install SEPM on a DC, I have installed it on a server in the domain. SEPM creates the service accounts on the server where it's installed with the Logon as a service user rights.  My issue is that the default domain policy overwrites this so I need to add these service accounts to the Logon as a service policy in the default domain policy. I cannot add these service accounts to the Logon as a service policy in the default domain policy as they are not validated.  This is my reason for asking about the process of creating service accounts.

@ferrarista Please don't reply to this thread.

OK, I understand your problem. Your default domain policy would usually be enforced throughout your domain, for best practice. The GPO should have a limited set of polices you want to enforce (like password policies, etc.). If its enforced you cannot override it. If it is not enforced then you can create a supplemental GPO linked at the OU level you want and override that setting from the default domain policy. If you want the account validated in the GPO you will need to edit the GPO from a machine which has the semsrv account in its local database such as the SEPM server itself. You will then be able to translate the NT Authority\semsrv virtual account into a SID in the GPO and add it into the list of accounts that can log on as a service.


Thanks. This is the information that I needed and it resolved my issue.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial