Service accounts and Group Policy

I recently came across a situation where I was unable to start the windows internal database.  The service was configured to run as “NT SERVICE\MSSQL$MICROSOFT##WID”.  However, the logon as a service right was controlled through Group Policy.

I was unable to add this account directly and eventually found the Microsoft support article:

The solution is grant “NT SERVICE\ALL SERVICES” the logon as a service right through Group Policy.

Update: The microsoft documentation for well known SIDs includes ‘SID S-1-5-80-0 = NT SERVICES\ALL SERVICES’: This indicates that all services will be added to the all services group. If thie is not required (e.g. may introduce a security risk) don’t use this approach.


Groups.xml is encrypted with a fixed key, see

All passwords are encrypted using a derived Advanced Encryption Standard (AES) key.<3>

The 32-byte AES key is as follows:

 4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
 f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b
openssl enc -d -base64 -A -in <base64pass> -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 000000000000000000000000000000

Note that windows passwords are unicode.