I had a problem where newly created Managed Service Accounts did not have "Logon as a service" right. A GPO was excluding "NT SERVICE\ALL SERVICES" from "Logon as a service". This was fixed.
Am I right in thinking that Install-ADServiceAccount adds the MSA account to "NT SERVICE\ALL SERVICES"?
Yes and no.
ALL SERVICES is a well-known security identifier, whose membership is implicit based on rules that are hard-coded into the operating system. That is, you can't add or remove users, the security identifier is assigned automatically to the appropriate users or in the appropriate situation.
(For example, Local account is automatically assigned to all local accounts, and Interactive is assigned if you are logged in interactively whereas Network applies instead when you are accessing a network share. Process Explorer, available from the Microsoft web site, is a convenient way of checking the security identifiers corresponding to any given process; look in the Security tab of the Properties dialog.)
The SID for ALL SERVICES is S-1-5-80-0 and the description in KB243330 says:
SID S-1-5-80-0 = NT SERVICES\ALL SERVICES
Name: All Services
Description: A group that includes all service processes that are configured on the system. Membership is controlled by the operating system.
This suggests that the identifier is granted to any process running as a service. This is not the case. There is a well-known security identifier that is granted to any service, but that is S-1-5-6, NT AUTHORITY\SERVICE.
It appears that what ALL SERVICES actually means is all service accounts.
This includes virtual accounts (I've checked) as well as managed service accounts. However, it should be noted that it does not include either NETWORK SERVICE or LOCAL SERVICE as might be expected.
In summary, Install-ADServiceAccount does not explicitly add the new account to ALL SERVICES but the upshot is the same; any new managed service account you create will be a member.
