About NT SERVICE\ALL SERVICES group
So what is with this group? I saw it on fresh OS install, GPOs, some random forum discussion. But not a lot explained on the MS docs. There is something but it’s kind of useless and confusing:
It says
S-1-5-80-0
All Services
A group that includes all service processes configured on the system. Membership is controlled by the operating system.
So it’s a well known SID/Group that is controlled by the OS. But the explanation is confusing. Actually it’s a group that contains all the virtual service accounts defined on the system, plus the managed service accounts(MSA), plus the group managed service accounts (GMSA).
This is very important for MSA and GMSA. You don’t need to grant the account Logon As a Service right, because on a fresh install of Windows 11, All Services group already has that right:
In case you use some domain GPOs and maybe those are inherited from some legacy systems, be careful not to overwrite this with some other values and remove it. Virtual accounts might not work anymore and you’ll have to grant rights individually for managed accounts.