First things first:
Some months ago I was installing a WSUS Server on a W2k12 R2 in a domain environment and the installation was failing because a service wasn't able to logon after the Post-Installation routine.
After a bit of troubleshooting and searching I found a solution on the internet where it said that I should change some settings in the Default Domain Policy which I did, here is the link for interest:
I added the "NT SERVICE\ALL SERVICES" to "Logon as a Service" in the Default Domain Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Logon as a Service) and everything was working and the WSUS was installed successfully.
Now I noticed that the Default Domain Policy has overwritten the "Logon as a Service" setting on EVERY domain machine (Exchange, SQL Server, PC and more…), so the older settings e.g. (MSSQL$SQLEXPRESS, IIS APPPOOL.NET 4.5) where overwritten globally and didn't show up now.
To the problem:
I need to revert everything back now and I have no clue what could happen.
So my questions are:
- How dangerous is it to revert back to the old settings, what could possibly happen?
- Does every domain machine did some local backup of there previous settings?
- If so, does the settings automatically change to the old ones after reverting back to empty settings (default)?
- Is there any solution without damaging something?
Many thanks in advance.
Best Answer
I know it's an old question, but the last answer/comments are wrong (at least for Windows 7 and Server 2012).
I applied a 'User Rights Assignment' to 'Log on as a Service' on the domain GPO, and noticed that the local policy does not merge with the domain policy. So on the local computer 'NT SERVICE\ALL SERVICES' was replaced by the setting from the domain policy.
I deleted/unlinked the domain policy, and the original local policy returned.