I had a bizarre issue today where NT SERVICE\MSSQLSERVER was being denied login as a service on a domain joined computer. I also noticed group policy was not being applied via gpupdate /force. I disconnected the computer from the domain, deleted the AD Object, re-created the AD Object, and re-joined the domain. The computer pulled policy successfully, and SQL Express worked. I know the GPO's don't have anything to do with it because I scoured through them to see if there was a policy allowing the virtual account login as a service and there was nothing of the sort. There are only three GPOs being applied now and they are not related. I'm struggling to make sense how this fixed the SQL problem. The only thing that would make sense, even though the SQL instance is local, the computer still needed a kerberos token to login as the service. When I rejoined the domain, it fixed the connection to the DC allowing authentication. Does that make sense?
Thanks folks.
0 Answers