You would think that when you added a Windows Server 2012 domain controller to a domain it would automatically add any security settings into active directory and group policy that are required for standard Windows components to function properly. You would think that!
But the first time you try to install the Windows Internal Database (WID), probably because you are trying to install Windows Server Update Services (WSUS), you get a cute error message. The System Event Viewer contains the following error and the installation indicates failure and the need to reboot.
The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. Service: MSSQL$MICROSOFT##WID Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID This service account does not have the required user right "Log on as a service."
This is caused because there are several accounts that need access to
Log on as a service that in previous versions of Windows either did not exist or did not require this access. Once again, you would think that
dcpromo would update these settings automatically. But sadly, it does not, instead leaving it to us lowly IT peons to perform the task manually.
To edit this setting, open Group Policy Management and edit the Default Domain Policy. Navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments. Edit Log on as a service and add the following groups:
IIS_WPG NETWORK NETWORK SERVICE SERVICE
You may also need to add these groups to the Default Domain Controller Policy.
gpupdate /force on the server in question and then reboot. The installation should now succeed.