I had a problem where newly created Managed Service Accounts did not have "Logon as a service" right. A GPO was excluding "NT SERVICE\ALL SERVICES" from "Logon as a service". This was fixed.
Am I right in thinking that Install-ADServiceAccount adds the MSA account to "NT SERVICE\ALL SERVICES"?
Yes and no.
ALL SERVICESis a well-known security identifier, whose membership is implicit based on rules that are hard-coded into the operating system. That is, you can't add or remove users, the security identifier is assigned automatically to the appropriate users or in the appropriate situation.(For example,
Local accountis automatically assigned to all local accounts, andInteractiveis assigned if you are logged in interactively whereasNetworkapplies instead when you are accessing a network share. Process Explorer, available from the Microsoft web site, is a convenient way of checking the security identifiers corresponding to any given process; look in the Security tab of the Properties dialog.)The SID for
ALL SERVICESis S-1-5-80-0 and the description in KB243330 says:This suggests that the identifier is granted to any process running as a service. This is not the case. There is a well-known security identifier that is granted to any service, but that is S-1-5-6,
NT AUTHORITY\SERVICE.It appears that what
ALL SERVICESactually means is all service accounts.This includes virtual accounts (I've checked) as well as managed service accounts. However, it should be noted that it does not include either
NETWORK SERVICEorLOCAL SERVICEas might be expected.In summary,
Install-ADServiceAccountdoes not explicitly add the new account toALL SERVICESbut the upshot is the same; any new managed service account you create will be a member.