As you know the SharePoint Farm Account must have privileges to logon locally for getting “User Profile Service Application” to work.
Today I created a PowerShell script that adds the given account to the “Allog Logon Locally” privilege in the Local Security Policy.
1. My account is “DOMAINsp_farm”
2. I start “secpol.msc” (“Local Security Policy”) on the local farm server
3. I’m looking for “Allow Logon Locally”. The account “sp_farm” is not in this setting.
4. I execute the script to add the account.
5. Then I reload the “Local Security Policy” or close and reopen the MMC.
6. Now the account in in the setting:
You can download the script here:
This is the script:
Pingback: Instant File Initialization via Powershell | Question Driven
After I ran the script on a local DC it worked but it has changed the entire organization Default domain Conteroller group policy .
I was sure it will change only the local specific DC
Thank you Ingo! This just helped me on a W2012 and a W2016 server to temporary override GPO set rights for local testing purposes before changing same through the AD.
I easily switched your script to another of the SeSomethingSomethingRight’s to have it deal with other rights. (Used this list: https://docs.microsoft.com/en-us/windows/win32/secauthz/account-rights-constants?redirectedfrom=MSDN)