Description:
You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.
Resolution:
- Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
- Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
- Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
- Click OK twice
- Close the Group Policy Manager
No comments:
Post a Comment