Just Enough Administration - SeServiceLogonRight is not getting cleaned up


I’ve hit this issue:


So it only affects Windows 2012R2 servers, when Invoke-Command is used, I see the virtual account is not removed from “Logon As A Service”.

Has anyone seen this in their environment ? Was a patch issued by MS for 2012R2 ? I can’t seem to find much information on the subject.



I thought I should answer my own question as I’ve been looking into this issue, it appears that the problem was fixed in 2016 and 2019, however, on a fully patched 2012 R2 instance, I still get the same results.

If I enable a group policy for ‘Logon As A Service’ those additional accounts are removed when the server is rebooted.