Installing ADFS 2.1 on Windows Server 2012 with Windows Internal Database fails if local GPO granting User Rights is overwritten at the Domain or OU-level

During the installation of ADFS 2.1 on Windows Server 2012 the Add-Role wizard grants the local virtual account NT SERVICEMSSQL$MICROSOFT##WID that runs the WID service 'Log on as a service' user rights via the Local Group policy.

If the Local Group Policy that grants the user rights is overwritten by a GPO with a higher priority that also defines User Rights the WID service account will not have Log on as a Service user rights and this will in turn cause the addition of the WID role to fail during the Add-Role wizard run.

Other symptoms are that the WID service will appear to be installed but cannot start and further Add-Role wizard runs will complain that a restart is pending - which is technically correct as the WID service will not be fully removed until the next reboot.

 

The resolution is to ensure the local Group Policy defining the User Rights permissions for the server is not overwritten at a higher level (the priority being Local-Site-Domain-OU in order) or to add NT SERVICEMSSQL$MICROSOFT##WID *or* NT SERVICEALL SERVICES to the winning GPO that is applying Log on as a Service User Rights settings to the W2k12 server.