41

Does anyone know what would be the minimum rights I would need to grant to a domain user account in order to run a windows service as that user?

For simplicity, assume that the service does nothing over and above starting, stopping, and writing to the "Application" event log - i.e. no network access, no custom event logs etc.

I know I could use the built in Service and NetworkService accounts, but it's possible that I may not be able to use these due to network policies in place.

Lance Roberts
  • 22,383
  • 32
  • 112
  • 130
Paul Nearney
  • 6,965
  • 2
  • 30
  • 37

4 Answers4

83

Two ways:

  1. Edit the properties of the service and set the Log On user. The appropriate right will be automatically assigned.

  2. Set it manually: Go to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Edit the item "Log on as a service" and add your domain user there.

spoulson
  • 21,335
  • 15
  • 77
  • 102
  • Fantastic - so "Log on as service" is all that is needed for a basic service (plus any rights specific to the logic in the service, e.g. to access network resources). For some reason i'd imagined a huge tangle of rights would be necessary. Thanks – Paul Nearney Oct 24 '08 at 07:14
  • 3
    Sometimes, this doesn't seem to be sufficient. I did both of these things and starting the service failed with error " service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.". I had to make the user account an administrator for it to work. – mythofechelon Jan 26 '17 at 15:28
  • How to really do the #1? – zar Jul 11 '18 at 18:30
  • Just doing these two steps did not solve my problem. I looked at the Event Logs to see what else I could find out and noticed the domain account I had driving the service did not have permissions to write to the service's log file. I made the domain account a local administrator and it got me up and running! – Shadoninja Feb 15 '19 at 02:50
  • @Shadoninja. I have a domain account in `Local Admin Group` and also added the domain account in `Logon as a service` in `Local security policy` but still my service won't start. I am trying run `Themes` service, under this domain account but get an error `A privilege required to start doesn't exist in service account` – Omair Nabiel Jul 24 '20 at 06:31
  • For me it works the second point, I added also the user on the user's local computer access, just in case, to allow the user to run it autommatically. – Juano Jan 16 '22 at 17:32
4

I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.

Chris Marasti-Georg
  • 34,091
  • 15
  • 92
  • 137
2

"BypassTraverseChecking" means that you can directly access any deep-level subdirectory even if you don't have all the intermediary access privileges to directories in between, i.e. all directories above it towards root level .

ths
  • 21
  • 1
1

Thanks for the links, Chris. I've often wondered about the specific effects of privileges like "BypassTraverseChecking" but never bothered to look them up.

I was having interesting problems getting a service to run and discovered that it didn't have access to it's files after the initial installation had been done by the administrator. I was thinking it needed something in addition to Logon As A Service until I found the file issue.

  1. Disabled simple file sharing.
  2. Temporarily made my service account an administrator.
  3. Used the service account to take ownership of the files.
  4. Remove service account from the administrators group.
  5. Reboot.

During Take Ownership, it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree.

Wasn't able to find a "give ownership" option to avoid making the service account an administrator temporarily, though.

Anyway, thought I'd post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights.

JoshMc
  • 10,239
  • 2
  • 19
  • 38
T.Rob
  • 31,522
  • 9
  • 59
  • 103
  • BTW, it shouldn't need to own the files, it should only need read and execute permissions for the files. – X-Cubed Jan 05 '10 at 02:38
  • The files in question include the run-time data as well as the static build-time files. The static files can be read/execute but the run-time files need to be updated, new files and directories created, files deleted, etc. It's possible to figure out on a per-directory basis exactly what's needed but it could change across a release or even a fix pack and be devliishly hard to diagnose. So you are correct that less then full ownership is required but from a serviceability standpoint I'd still recommend taking ownership. – T.Rob Mar 26 '10 at 13:05
  • This is pretty ancient, but in case someone comes across it, you'd generally want to grant the "Modify" right in this instance. To summarise the permissions in a simple way: * Folder: Permits reading and writing of files and subfolders; allows deletion of the folder * Files: Permits reading and writing of the file; allows deletion of the file "Ownership" does not actually confer any access to the file as such, just to the ability to set permissions (Full control includes these rights). Administrators should have full control, instead, in case the service account goes haywire. – LeeM Dec 15 '16 at 06:38