Logon as a service for virtual accounts

Question

I have a Windows Internal Database installation running with its default settings. I have the required "Logon as a service" permissions configured as follows:

Administrators
ALL SERVICES
LOCAL SERVICE
NETWORK SERVICE
NT SERVICE

After the first server restart since SQL installation the service fails to start. I add an entry for NT SERVICE\ALL SERVICES in the service logon permissions and everything works again. The thing I don't quite grasp is that why wouldn't NT SERVICE\ALL SERVICES be already included either with NT SERVICE or ALL SERVICES entry?

Technically the service is configured to logon with NT SERVICE\MSSQL$MICROSOFT##WID so there is backslash after NT SERVICE but I don't think that would be the actual root cause here.

Answer 1

ALL SERVICES is not by itself a valid name, so I expect it is being ignored:

C:\working>icacls test /grant "ALL SERVICES":(OI)(CI)(F)
ALL SERVICES: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files

C:\working>icacls test /grant "NT SERVICE\ALL SERVICES":(OI)(CI)(F)
processed file: test
Successfully processed 1 files; Failed processing 0 files

NT SERVICE is described in KB243330 as "an NT Service account prefix" and prefixes do not normally have any meaning by themselves; it is recognized as a valid name (which surprises me) but I don't believe it has any members. So it is not surprising that this was not sufficient.

NT SERVICE\ALL SERVICES is the correct way to permit virtual service accounts to log in.