I recently came across a situation where I was unable to start the windows internal database. The service was configured to run as “NT SERVICE\MSSQL$MICROSOFT##WID”. However, the logon as a service right was controlled through Group Policy.
I was unable to add this account directly and eventually found the Microsoft support article: http://support.microsoft.com/kb/2832204
The solution is grant “NT SERVICE\ALL SERVICES” the logon as a service right through Group Policy.
Update: The microsoft documentation for well known SIDs includes ‘SID S-1-5-80-0 = NT SERVICES\ALL SERVICES’: http://support.microsoft.com/kb/243330/en-gb. This indicates that all services will be added to the all services group. If thie is not required (e.g. may introduce a security risk) don’t use this approach.
Groups.xml is encrypted with a fixed key, see https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
All passwords are encrypted using a derived Advanced Encryption Standard (AES) key.<3> The 32-byte AES key is as follows: 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
openssl enc -d -base64 -A -in <base64pass> -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 000000000000000000000000000000
Note that windows passwords are unicode.