Managing “Logon as a service” Group Policy

In order to allow services to run under a user accounts, and not in the context of a Local System, Local Service, or Network Service, starting with Vista, in Windows you can use the “Log on as a service” policy.

This policy allows certain accounts to start a process on behalf of a user as a Windows service. When this process starts, it is registered as a service.

Logging in as a service policy allows to run services under user account continuously on a computer, even when no one is logged on. Also, this method allows you to safely start third-party services for which you don’t want to grant Local System rights. It is much safer to run services from behalf of non-admin user.

Launch the local (gpedit.msc) or domain (gpmc.msc) Group Policy Editor and go to the following GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Find the Log on as a service policy.

Note that in Windows Server 2016 and Windows 10, the “NT ServicesAll services” group is added to this policy by default.

When installing the Hyper-V role, the ‘NT VIRTUAL MACHINESVirtual Machines’ group (SID S-1-5-83-0) is additionally added. When installing web server IIS the .NET Framework account IIS APPPOOL.NET v4.5 is added.

logon as a service

Hint. You can also change the local Logon as a service policy through Local Security Policy console. To do this, open the Windows Control Panel > Local Security Policy > Security Settings > Local Policies > User Rights Assignments and modify the policy.

Double-click on the Logon as a service policy, click the Add User or Group button, and specify the account or group to which you want to grant the permissions to run Windows services.

logon as a service gpo

To apply the new settings, run the group policy update command:

gpupdate /force

Now you can start the service management console (services.msc), and try to configure the launch of any service from behalf a user account: select service > Properties > Log on tab > Log on as > This account > select account and set a password.

A message appears:

The account .admin has been granted the Log On As A Service right.

group policy logon as a service

When using this policy, make sure that the user or group is not added to another policy called “Deny log on as a service”. In this policy, you can specify which user accounts are not allowed to run services. If the user is simultaneously added to the Deny log on as a service and Logon as a service policies, the deny policy will take precedence. Those, when the service starts, a message appears:

Services

Windows could not start the xxxx service on Local Computer.Error 1069: The service did not start due to a logon failure.

manage logon as a service group policy

It is advisable to minimize the number of user accounts to which you grant the “Logon as a service” permissions.

Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.