How to Add NT Service\All Services group to Active Directory User Rights Assignment

Description:

You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.

Resolution:

1. Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
2. Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
3. Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
4. Click OK twice
5. Close the Group Policy Manager

Red X or Cross on Network Connection Icon - Windows 2008 R2

Description:

You found there's a Red X or Cross on Network Connection Icon.
Found some services stopped and cannot be started with access denied error.

Resolutions:

Ø  Check and add the registry permissions on the following key: 

•Regarding the BFE service, we have given “NT Service\BFE” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control 

•Regarding the NLA service, we have given “NT Service\NLASvc” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NLASvc:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

•Regarding the DPS service, we have given “NT Service\DPS” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

Also it was necessary to give the same permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\Config

• Regarding the Windows Firewall service, we have given “NT Service\mpssvc” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

Also it was necessary to give the same permissions to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess

•Regarding the DHCP Client service, we have given Local Service account full control permissions on:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP

•Regarding the Distributed Transaction Coordinator, we have given “NT Service\MSDTC” account the following allow permissions on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Read Control

Also it was necessary to add Network Service account with “read, write, read & execute”  permissions to the file C:\WINDOWS\system32\MSDtc\MSDTC.LOG

> All of the services can be started after adding the security permission. Restart the computer to make sure.

Note:
If the issue happens again ,you may want to check for the group policy, or local policy, or application that modified the security permission on those above registry.