Tag: update service account

Recently, I found a neat little trick using dbatools to update service accounts for SQL Server service and agent. It is generally a good security practice to run the services under a dedicated domain account. The default local system account has more privileges than necessary. Great thing about this method is that it is similar to updating service account using SQL Server Configuration Manager. The process will grant all the minimum necessary permissions to the service account and you don’t need to do a thing!

$cred = Get-Credential domain\serviceaccount
Get-DbaService -ComputerName sqlserver01 | Out-GridView -Passthru | Update-DbaServiceAccount -ServiceCredential $cred

Soon after I ran this, I got an error that the account could not be set. I was able to revert the account back to local system account and start back the services. Now I went onto investigate the root cause for the error. I also ensured that the account is not locked out, password is accurate. Finally I looked at the System logs under event view logs on the server. Bingo, now we are getting somewhere. This is the error I saw:

The MSSQLSERVER service was unable to log on as domain\ServiceAccount with the currently configured password due to the following error: 
Logon failure: the user has not been granted the requested logon type at this computer.
 
Service: MSSQLSERVER 
Domain and account: domain\ServiceAccount
 
This service account does not have the required user right "Log on as a service."
 
User Action
 
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
 
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

I opened the security policy on the server (run secpol.msc) and found that the account was not present in the User policy named ” Log on as a service “. After talking to the systems engineer, I found out that the server is managed through a GPO. We had them update the GPO to include the service account in the policy. Once the GPO took effect, we were able to run the above dbatools command and set the service account successfully.

Obviously, this process of setting service account also requires that you restart the services in order for the change to take effect. Hope you enjoyed this!