GPOs and SharePoint 2013: The dance of the 2 left footed partners.

3 07 2013

I recently was installing SharePoint 2013 at a customers site. I thought all was going well till i started hitting a brick wall of errors while installing SharePoint, some that i had seen, others that i haven’t.

I started noticing some strange things as well, like the SharePoint Timer services mysteriously turning off and then giving me an error, telling me that the there was a logon failure.  I thought this was kinda weird, but i went in and updated the password and i got CLUE #1. The dialogue box was now telling me that my farm account now had rights to log on as a service.

That set me off an alarm in my head and decided to ask my customer if he had any custom GPOs. Turns out they did, but he didn’t quite know all the different ones they had.

Thus started a long winding road figuring out which GPOs did what.

The end result was this:

SharePoint 2013 service accounts need the following rights.

  • Manage audit and security log
  • Debug Programs
  • Backup files and directories
  • Log on as a service
  • Log on as batch

All of these right can be found on the local security policy, but if you have GPOs in your AD these will be over written.

What you have to do is kindly/gently/forcefully ask you friendly neighborhood AD guru to create a GPO that allows these rights to your SP Service accounts.

Adding the ones above helped me.
Nando