Office 365. the user has not been granted the requested logon type at this computer 오류 메시지 나타나면서 AD Sync 안되는 증상
이벤트 로그 오류 기록은 아래와 같이 나왔습니다.
The ADSync service was unable to log on as NT SERVICE\ADSync with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer.
Service: ADSync Domain and account: NT SERVICE\ADSync
This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right. |
리서치를 해보면 Log on as a service 관련 정책에 문제가 있던 것으로 보입니다.
원인은 찾지 못했지만 아래와 같이 정책 변경을 진행해서 동기화가 해결되었습니다.
Gpmc.msc 실행
저는 Default Domain Policy 로 접근하였습니다 .Edit
Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Log on as a service 정책에서 아래와 같이 NT SERVICE\All Services 를 추가합니다.
해당 계정을 넣는 이유는 Microsoft Azure AD Sync 서비스 계정 형태이기 때문입니다.
동일한형태로 SQL 서버도 서비스가 시작되지 않는 오류가 있었는데 SQL 서비스 계정을 추가하여 문제가 해결되었습니다.