MPAD | How to validate and what is difference of 'Windows Services' and 'Windows Service Accounts' in device REACL Profile (4378003)

How to validate and what is difference of 'Windows Services' and 'Windows Service Accounts' in device REACL Profile (Sample screenshot below)

Both option are performing differerent action that are explained in the document here 

Windows Services: Selected by default. The Windows Services option will ensure that any source domain accounts that were given permission to a service will include the corresponding matched target domain account after a ReACL process.

Windows Service Accounts: Unselected by default. We recommend that the Windows Service Accounts box is left UNCHECKED. A change in the ACL of the service accounts of the target may have an impact on the applications currently running. Although the ReACL process can usually be rolled back in case of issues, there could be a temporary disruption in service until that can be resolved. Selecting the Windows Service Accounts box will switch the domain account that Windows services are running under to the corresponding matched target domain account after a completed ReACL process.

More detailed sample explanation as below

Windows Services
1) Scenario: Device has SQL Browser installed installed as a Windows Service (as shown below)

2) ReACL: selected the option for Windows Services (as shown below)

3) ReACL Completed:

a) verify the logs e.g. ReAclResults_20241216140744.csv.

• search for the keyword SQL Server Browser or Processing Service 'SQL Server Browser'
• the reacl activity should have the old and new lines indicating before and after permission settings (SDDL format)
• in example below, having source SID 'S-1-5-21-3102104888-1379665284-1890259016-1103' and target SID 'S-1-5-21-3670140049-618475526-3759332088-1195'
  

  2024/12/16 14:07:45.933,Info,ServiceUpdater,Processing Service 'SQL Server Browser',
   
  2024/12/16 14:07:45.933,Debug,Updater,Updating security (Access);
  old 'O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3102104888-1379665284-1890259016-1103)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)'
  new 'O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3102104888-1379665284-1890259016-1103)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3670140049-618475526-3759332088-1195)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)',
  
  

  
  b) verify the permissions on the device
• From an elevated command prompt, enter the command sc.exe sdshow sqlbrowser
• Found the source SID 'S-1-5-21-3102104888-1379665284-1890259016-1103' and target SID 'S-1-5-21-3670140049-618475526-3759332088-1195'
  
  

  C:\Users\Administrator>sc.exe sdshow sqlbrowser
  
  D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3102104888-1379665284-1890259016-1103)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3670140049-618475526-3759332088-1195)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

  
  

Windows Service Account

1) Scenario:
Initial State: Services are configured to run using source domain accounts (e.g., source\ServiceAccount). sample screenshot below

2) Preparation:
Understand the Impact: Selecting the Windows Service Accounts option will change the service account from the source domain to the corresponding account in the target domain.
Temporary disruptions may occur while services are updated and restarted.
Ensure Account Mapping: Confirm in Quest Migration Manager that each service account in the source domain has a correctly mapped target domain account.

option Windows Service Accounts checked and reacl.

3) ReACL Complete:
Verify the service account are updated