2-node multi-subnet W2016 failover cluster running SQL2016
GPO policy is applied - policy item “Deny access to this computer from the network” has “NT AUTHORITY\Local account and BUILTIN\Guests” listed in the setting.
W2016 cluster services will not start with this policy item in place
After removing “NT AUTHORITY\Local account” from this setting the Cluster Service started successfully.
Is this expected behaviour?
Is there a modification we can make to the policy setting that will retain the setting to deny local accounts but enable cluster services to start?
Is there an option to use a domain service account to run cluster services on W2016 instead of CLIUSR?