In order to allow services to run under a user accounts, and not in the context of a Local System, Local Service, or Network Service, starting with Vista, in Windows you can use the “Log on as a service” policy.
This policy allows certain accounts to start a process on behalf of a user as a Windows service. When this process starts, it is registered as a service.
Logging in as a service policy allows to run services under user account continuously on a computer, even when no one is logged on. Also, this method allows you to safely start third-party services for which you don’t want to grant Local System rights. It is much safer to run services from behalf of non-admin user.
Launch the local (gpedit.msc) or domain (gpmc.msc) Group Policy Editor and go to the following GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Find the Log on as a service policy.
Note that in Windows Server 2016 and Windows 10, the “NT Services\All services” group is added to this policy by default.
When installing the Hyper-V role, the ‘NT VIRTUAL MACHINES\Virtual Machines’ group (SID S-1-5-83-0) is additionally added. When installing web server IIS the .NET Framework account IIS APPPOOL\.NET v4.5 is added.
Hint. You can also change the local Logon as a service policy through Local Security Policy console. To do this, open the Windows Control Panel > Local Security Policy > Security Settings > Local Policies > User Rights Assignments and modify the policy.
Double-click on the Logon as a service policy, click the Add User or Group button, and specify the account or group to which you want to grant the permissions to run Windows services.
To apply the new settings, run the group policy update command:
gpupdate /force
Now you can start the service management console (services.msc), and try to configure the launch of any service from behalf a user account: select service > Properties > Log on tab > Log on as > This account > select account and set a password.
A message appears:
The account .admin has been granted the Log On As A Service right.
When using this policy, make sure that the user or group is not added to another policy called “Deny log on as a service”. In this policy, you can specify which user accounts are not allowed to run services. If the user is simultaneously added to the Deny log on as a service and Logon as a service policies, the deny policy will take precedence. Those, when the service starts, a message appears:
Services
Windows could not start the xxxx service on Local Computer.Error 1069: The service did not start due to a logon failure.
It is advisable to minimize the number of user accounts to which you grant the “Logon as a service” permissions.
