NT Authority and NT Service Accounts

Similar Messages

• Query to Find what SQL Server services running, what status and with what service account

  I need to check what SQL Server services are running(engine,agent,IS,AS,RS,browser and Full text) and what is the present status and what service accounts are been used by them on several servers in a single shot.
  Could any one help me in finding a good script for the same.

  I have been looking for the same thing, the issue I am running into is finding the Actual Service Name.  I know this question is old, and I personally do not understand the reply. 
  so Far I have the following:
  DECLARE @ServiceAcount NVARCHAR(128);
  SET @Service = 'No Return Value'
  --MsDtsServer100 (SSIS)
  EXEC master.dbo.xp_regread
  'HKEY_LOCAL_MACHINE',
  'SYSTEM\CurrentControlSet\services\MsDtsServer100',
  'ObjectName',
  @ServiceAccount OUTPUT;
  SELECT @ServiceAccount;
  I am still looking for the correct service naming for Analysis Services, Distributed Replaay Client, Distributed Replay Controller

• Make WDS Service account approve pending devices in WINDOWS DEPLOYMENT SERVICES

  Hi Technet and all other people reading this.
  I am at the moment trying to get a Service account(WDSService) to approve pending devices in Windoes Deployment Services on a WDS server.
  I have created a domain called LALALA.dk on a server(DNS is included in the domain), and installed windows deployment services on another server. The Deployment service is setup to prestage devices, and therefore devices needs to be approved before it can
  be deployed.
  My problem is that at the moment, we are using Domain Admin accounts to do the approving and i wish to change that to a service account, made specially for this job which ofc. should have minimum right. Because i have a very hard time understanding
  why i NEED to grant domain admin rights or local admin rights to a person just so that he can approve pending devices. There has to be a way to use a service account to do the job.
  I have done some research and found out that local admin, domain admins and enterprise admins are the only onces that have the permission to approve pending devices, and that a problem for me, when i want a service account to do it for me(Not automatically)
  but a service account that can name and approve devices manually.
  Here is what i have allready tried.
  1. making WDSService run the Windows Deployment Services (service), but this didnt work because it lacks the permissions needed.
  2. I have given the read+write permissions on the remoteinstall folder, even tried with full control.
  3. Delegate control on the OU in active directory, to create computer object, with full write permissions. I also tried with full control. I added both WDSServer$ and the service account(WDSService) on the OU. Still nothing.
  4. I then downloaded subinacl tool, and granted WDSService account permission to start, stop the service, even tried with full control on the Windows Deployment Service(WDSServer as server_name). I get error 1297 something with priviledge missing from the
  service account to perform the actions. So still nothing. Which is really weird when i ran a command i cant remember now, where i could see that the service account had full permission granted to the service, and still was'nt able to start the service.
  5. I then tried to create a script using WDSUTIL, but was not able to grant the service account permissions to perform the action of approving pending devices. And i dont want to use a script everytime i need to approve a device.
  6. Since the local system account is running the Windows Deployment Service , my thought was to join the WDSService account to the built-in NT AUTHORITY/local system or NT AUTHORITY/local service, this seems impossible from what i experienced, unless you
  are super powershell geek i quess you can, so this option didnt get me anywhere as well.
  6. I then created a gpo granting wdsservice account the "log on as a service" policy on the Windows deployment service Server, still nothing works as attended. I still get error 1297.
  7.I tried copying the registry keys (WDSSERVER) from the HKEY_LOCAL_MACHINE hive on the WDS Server, and imported it into my Domain's registry, but could'nt find the service i wanted to grant permissions to in the group policy settings (computer configuration/policies/windows
  settings/security settings/System Services) I then created a registry entry with group policy (computer configuration/policies/windows settings/security settings/registry) to point to (local machine/system/controlset001/services/WDSServer) and granting
  WDSService account full control and deployed the policy to the Deployment server. Nothing happend and i still cant approve pending devices with my service account.
  from my understanding service account where created to maintain small certain tasks or actions with limited permissions, so if comprimised they could only do very little damage, and so that this account can be setup to perform the tasks without any administation
  of the account. So my question is, is it even possible to achieve what i want = granting a service account the permission to perform the action of approving pending devices on a Windows Deployment Server, and if so how ? 
  I am so confused over this and I am really reaching the limits of my understanding of this.
  Help is very much appreciated.
  Henrik Larsen

  Hi ZeR1X,
  The Require Administrator approval is for unknown computers.
  The similar thread:
  WDS - Request administrator approval not working
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/b9088be7-7afe-4e2b-b5fb-4554a92c4a2a/wds-request-administrator-approval-not-working
  More information:
  Windows Deployment Service fails to start with error information of 0x5
  http://support.microsoft.com/kb/2009647
  WDS 3.01 Troubleshooting Guide
  http://technet.microsoft.com/en-us/library/cc754828(v=ws.10).aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Installation of sql2012(Service Accounts)

  Hi everyone, i am doing sql server 2012 setup. the credentials i am using is domain admin.
  during the configuration of service accounts i am confused.
  in earlier versions of sql i configured using local system account(NT Authority/System Account) and i did not face any issues.
  but with sql 2012 i am confused. do i need to associate all the services with the account i am installing or
  i can assign local system account. if i can assign local system account  please do guide me how to assign. OR
  should i proceed with default installation. my other admins should not face any issues in my absense if they login to the db though they have domain admin privileges.
  please do guide me with the service accounts

  Thanks alot for all your support i have created a service account . please do check the screenshot and tell me is this the right way to install sql. this is how i am setting up service accounts. what is distributed replay controller and client
  Service                                                             Account Name        
         Startup
  SQL Server Agent                                       mydomain\myservice account  Automatic
  SQL Server Database Engine                     mydomain\myservice account  Automatic
  SQL Server Analysis Enginer                      mydomain\myservice account  Automatic
  SQL Reporting Services                              mydomain\myservice account  Automatic
  SQL Server Integration Services                mydomain\myservice account  Automatic
  SQL Server Distributed Dist Replay Client  NT AUTHORITY\LOCAL SERVICE   manual
  SQL Server Dist Replay Controller              NT AUTHORITY\LOCAL SERVICE   manual
  SQL Full-tesx Filter Deamon Launcher        NT Service\MSSQLFDLauncher@.. manual
  SQL Server Browser                                   NT AUTHORITY\LOCAL SERVICE   Disable
  Seem ok  to me.If you want reference link please refer to below link for SQL Server 2012 installation.
  How to install SQL server 2012
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers
  My TechNet Wiki Articles

• Changing the password of scom services account.

  hello experts,
  I have installed Single  SCOM Management Server with following services accounts , all the Domain Users account :
  Action Account
  Data Access Service
  Data Reader
  Data Ware Write Service
  also monitoring some of Computers.
  But now I have to change password of all these accounts  from AD,then I wants to know :-
  1. Where change the Password of  these Services Account on SCOM Management server.
  2.Are changing the passwords will effect the working of SCOM and monitoring of computer which are currently under monitoring of scom.

  1. Action account
     http://technet.microsoft.com/en-us/library/hh456432.aspx
  2. Data Access Service and Configuration Service account
    http://technet.microsoft.com/en-us/library/hh456438.aspx
  3. data Reader: reporting services configuration manager --> modify the following acouunts password , Report server service account , curent report server database credential, execution account
  roger

• Changing Reporting Services Account via SMO

  I am in the process of changing our Service Accounts to use virtual accounts in place of using local accounts.  I am using SMO to change the SQL Server, SQL Server Agent and Analysis Services accounts to the virtual account and works great.  Question
  I have, can the Reporting Services account be changed via SMO without disrupting Reporting Services?  In the past, an DBA change the reporting services account password without going through Reporting Services Configuration manager, and we lost all of
  the data sources for the reports.  I was wondering whether or not using SMO will result in the same thing happening or not.
  Thanks.
  DJ

  I've not tried this on SSRS but the below link talks about your problem. I would recommend you to have rollback plan in case of any issues. Try this on less critical servers.
  http://www.the-fays.net/blog/?tag=powershell
  --Prashanth

• Service Accounts in Sharepoint 2013

  Ok in SharePoint 2013, we have an intranet set up. Ok so on the central administration page, under Security, and configure service accounts, I selected Farm Account for the drop down menu at the top. We have 3 managed accounts for the intranet, which are
  sp_farm, sp_serviceapp, and sp_webapp. Now by mistake, I selected the sp_serviceapp for the (select an account for this component) and clicked ok. Now when I go to change it back to sp_farm, it gives me an error page, it says the website declined to show this
  webpage, and most likely causes: this website requires you to login. And it doesn't change it back. Would someone please let me know how I can change the component account for my farm account from sp_serviceapp to sp_farm? Thank you.

  If i understand this correctly you created a web application using the sp_farm account as the managed account for that application pool. WHen you tried to change it to another account the web application fails to load.
  If you've done it through Central Admin then that should just work, as described here:
  http://blog.morg.nl/2011/07/changing-the-identity-for-a-sharepoint-2010-application-pool-2/
  Or have i misunderstood what you've changed the various accounts for?

• Which service accounts should SP2010 use?

  I'm getting the "Server farm account should not be used for other services" error for the following services:
  80 (Application Pool)
  SPUserCodeV4(Windows Service)
  OSearch14(Windows Service)
  Web Analytics Data Processing Service(Windows Service)
  But when I go to the Manage Service Accounts page, the only two account options I see are Local Service and Network Service. Which one should I use?

  Hi ,
  Please create a domain account from your Active Directory server, then add this AD account as a managed account from SharePoint 2010 Central Administration site->"Configure managed accounts" page, then on the "Configure
  service accounts" page, you can select this managed account for your SharePoint service or service application.
  http://sharepointv15.wordpress.com/2012/07/19/creating-managed-account-in-sharepoint-2013-9-2/
  http://blog.falchionconsulting.com/index.php/2010/10/service-accounts-and-managed-service-accounts-in-sharepoint-2010/
  Thanks
  Daniel Yang
  TechNet Community Support

• Find active service accounts

  I inherited an Exchange 2010 environment that was upgraded from Exchange 2003.  I believe there is at least one Exchange service account that is not needed, is a domain admin, and I'd like to remove.  What is the best way to determine this without
  just disabling it and seeing what happens?

  Exchange hasn't used service accounts since Exchange 5.5.  I'd check to see which accounts are both members of the domain admins group, have Exchange Full Admins rights, and are service accounts.  And I'd disable it.
  However, I get the feeling that you have applications that use service accounts?  I'd still do the above, but then I'd turn on Exchange's auditing (both mailbox and administrative) and check to see what actions that account was being used for. 
  (Admin auditing is set with Set-AdminAuditLogConfig, and mailbox auditing is set with Set-Mailbox -AuditEnabled:$True ...)

• Service Accounts for Browser Services and FD Launcher (Full-text Search)

  I am setting up SQL Failover Clustering (Version: 2012SP1) on Windows 2012. There are 2 options to configure the service account for Browser Services and FD Launcher :
  Option 1) Using separate domain accounts, as what I have done for DB Engine and SQL Agent.
  Option 2) accept the default, which is  local service for
  browser, and virtual account for
  FD Launcher. Per documentation URL: http://msdn.microsoft.com/en-us/library/ms143504.aspx
  which is the recommended one? is it option 2?
  There is security note on above URL as well, but does not clearly mention that option 1 is not recommended.
  Security Note:  Always run SQL Server services by using the lowest possible user rights. Use a
  MSA or
  virtual account when possible. When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not
  grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported.

  Hi Luo Donghua,
  In SQL Server Brower, the default logon account is NT Authority\Local service and cannot be changed during SQL Server setup.SQL Server Browser is not a clustered resource and does
  not support failover from one cluster node to the other. SQL Server Browser should be installed and
  turned on for each node of the cluster. SQL Server Browser should be run in the security context of a low privileged user to minimize exposure to a malicious attack.
  You can change the account after the setup has been completed; For more information, see:http://msdn.microsoft.com/en-us/library/hh510203.aspx.
  In SQL Server full text filter daemon launcher, on Windows Vista and Windows Server 2008, the FDHOST Launcher service account also defaults to LOCAL SERVICE. If you provide a domain account in which to run the FDHOST Launcher service, we highly recommend
  that you use a low privilege account. On Windows 7 and Windows Server 2008R2 , we use Virtual Account or Managed Service account(MSA) in FD Launcher . We also need to note the account you used for
   FD Launcher should be different from the account that you use for the SQL Server service. For more information, see:
  http://msdn.microsoft.com/en-us/library/cc281953(v=sql.100).aspx
  So I recommend you use the option 2 to configure the service account for Browser Services and FD Launcher.
  Thanks,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• Network Service account and Exchange 2013 services

  I installed Exchange 2013 CU8 on two 2012 R2 machines, but the services that run under Network Service for Exchange won't start. If I put Network Service in the local admin group, the services start. Prior to putting it in the admin group, I gave it full
  permission on all Exchange folders, but that didn't help...thanks.

  Hi,
  Please run “setup.com /preparedomain” and see if the permission are set to default and the issue persists.
  Please add Read permission for NT AUTHORITY\Network Service to all Exchange servers in ADSIEdit to have a try:
  Expand CN=Configuration,DC=domain,DC=.com > CN=Services > CN=Microsoft Exchange > CN=Domain > CN= Administrative Groups > CN=(Group name) > CN=Servers. Right-click all Exchange service, and add Read permission for NT AUTHORITY\Network Service
  account.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• After getting a new desktop I downloaded iTunes and authorized my new computer and then de-authorized my old one,  When I try to update my 5S it says my phone is not authorized and list my wifes email address as the account holder and not mine.  How

  After getting a new desktop I downloaded iTunes and authorized my new computer and then de-authorized my old one,  When I try to update my 5S it says my phone is not authorized and list my wifes email address as the account holder and not mine.  How do I correct this. I am using Windows 8.1 .  My wife has never had an iTuunes account

  Hello Lakesidetom,
  It sounds as though you are experiencing an issue with an Apple ID and authorizations. Based on your post, it sounds like you are familiar with the authorizing and deauthorizing process. The Apple ID in question (your wife's email) may be originating from the iPhone you are attempting to update. Is it possible that your wife created an Apple ID or iCloud account which is signed in on that iPhone? Below, I have included links to some resources that may help you determine if your wife has created an Apple ID:
  How to find your Apple ID - Apple Support
  Use these steps if you forgot your Apple ID or aren't sure that you have one.
  Apple - My Apple ID
  If you can't remember your Apple ID, just provide us with some information and we'll find it for you. Then we'll help you reset your password.
  Thank you for contributing to Apple Support Communities.
  Cheers,
  Bobby_D

• How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"

  Can someone
  help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p>
  "Service Account Name" and "Display Name"<o:p></o:p>
  Your help will be greatly appreciated.<o:p></o:p>
  leonie6214

  Hello,
  Is the following article what you are looking for?
  http://msdn.microsoft.com/en-us/library/ms345578.aspx
  If not, could you explain a little bit more what you want to accomplish?
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• I have 5 devices authorized to my itunes account. 2 of them crashed but I am unable to authorize my new pc. From what I can see it looks like I may have to "deauthorize all" and then re authorize my current devices? Please help!

  I have 5 devices authorized to my itunes account. 2 of them crashed long ago.  Now that I have a new pc, I am unable to authorize it.  I think from what I've read that I should "deauthorize all" and then go back and authorize my current 3 devices.  Is this correct?  I have tons of music and need to make sure I won't lose anything.  I would sure appreciate the help!  Thanks!!!

  No that is not correct.
  Devices do not count toward the 5.  Authorization is only for computers, not iphone/ipod/ipad/Apple tv.
  You do not authorize or deauthorize devices at all.
  If you have reached the limit of 5 authorized COMPUTERS, then deauthorize all and the authorize the active COMPUTERS.

• EWS API - Impersonating to update a calendar item created by any other user than a service account, raise an error "Access is denied. Check credentials and try again."

  Hi,
  I am new to using EWS managed APIs.
  Following is the issue:
  1. I am using a service account e.g. [email protected]. This user is a global administrator and also has ApplicationImpersonation role assigned. (Sign into Online Office 365 account -> Admin -> select "Exchange" tab- > select Permissions
  on the left panel -> create an impersonation role -> assign ApplicationImpersonation in Roles: and [email protected] in Members: -> Click on save)
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected].
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
          private static void Impersonate(string organizer)
              string impersonatedUserSMTPAddress = organizer;
              ImpersonatedUserId impersonatedUserId =
                  new ImpersonatedUserId(ConnectingIdType.SmtpAddress, impersonatedUserSMTPAddress);
              service.ImpersonatedUserId = impersonatedUserId;
  4. It was working fine till yesterday afternoon. Suddenly, it started throwing an exception "Access is denied. Check credentials and try again." Whenever I try to
  update that event.
         private static void FindAndUpdate(ExchangeService service)
              CalendarView cv = new CalendarView(DateTime.Now, DateTime.Now.AddDays(30));
              cv.MaxItemsReturned = 25;
              try
                  FindItemsResults<Item> masterResults = service.FindItems(WellKnownFolderName.Calendar, cv);
                  foreach (Appointment item in masterResults.Items)
                      if (item is Appointment)
                          Appointment masterItem = item as Appointment;
                          if (!masterRecurEventIDs.Contains(masterItem.ICalUid.ToString()))
                              masterItem.Load();
                              if (!masterItem.Subject.Contains(" (Updated content)"))
                                  //impersonate organizer to update and save for further use
                                  Impersonate(masterItem.Organizer.Address.ToString());
                                  // Update the subject and body
                                  masterItem.Subject = masterItem.Subject + " (Updated content)";
                                  string currentBodyType = masterItem.Body.BodyType.ToString();
                                  masterItem.Body = masterItem.Body.Text + "\nUpdated Body Info:
  xxxxxxxxxxxx";
                                  // This results in an UpdateItem operation call to EWS.
                                  masterItem.Update(ConflictResolutionMode.AutoResolve);
                                  // Send updated notification to organizer of an appointment
                                  CreateAndSendEmail(masterItem.Organizer.Address.ToString(), masterItem.Subject);
                                  masterRecurEventIDs.Add(masterItem.ICalUid.ToString());
                              else
                                  Console.WriteLine("Event is already updated. No need to update again.:\r\n");
                                  Console.WriteLine("Subject: " + masterItem.Subject);
                                  Console.WriteLine("Description: " + masterItem.Body.Text);
              catch (Exception ex)
                  Console.WriteLine("Error: " + ex.Message);
  5. What could be an issue here? Initially I thought may be its a throttling policy which is stopping same user after making certain API call limits for the day, but I am still seeing this issue today.
  Any help is appreciated.
  Thanks

  Your logic doesn't sound correct here eg
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected]
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
  When your connecting to [email protected] mailbox the only user that can make changes to items within
  abccalendar is abc (or ABC's delegates). If your impersonating the Organizer of the appointment pqr that wouldn't work unless the organizer had rights to abc's calendar. If you want to make updates to a calendar
  appointment like that you should connect to the Organizers mailbox first update the original, send updates and then accept the updates.
  When you impersonate your impersonating the security context of the Mailbox your impersonating so its the same a logging on as that user in OWA or Outlook.
  Cheers
  Glen