Managing “Logon as a service” Group Policy

In order to allow services to run under a user accounts, and not in the context of a Local System, Local Service, or Network Service, starting with Vista, in Windows you can use the “Log on as a service” policy.

This policy allows certain accounts to start a process on behalf of a user as a Windows service. When this process starts, it is registered as a service.

Logging in as a service policy allows to run services under user account continuously on a computer, even when no one is logged on. Also, this method allows you to safely start third-party services for which you don’t want to grant Local System rights. It is much safer to run services from behalf of non-admin user.

Launch the local (gpedit.msc) or domain (gpmc.msc) Group Policy Editor and go to the following GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Find the Log on as a service policy.

Note that in Windows Server 2016 and Windows 10, the “NT ServicesAll services” group is added to this policy by default.

When installing the Hyper-V role, the ‘NT VIRTUAL MACHINESVirtual Machines’ group (SID S-1-5-83-0) is additionally added. When installing web server IIS the .NET Framework account IIS APPPOOL.NET v4.5 is added.

logon as a service

Hint. You can also change the local Logon as a service policy through Local Security Policy console. To do this, open the Windows Control Panel > Local Security Policy > Security Settings > Local Policies > User Rights Assignments and modify the policy.

Double-click on the Logon as a service policy, click the Add User or Group button, and specify the account or group to which you want to grant the permissions to run Windows services.

logon as a service gpo

To apply the new settings, run the group policy update command:

gpupdate /force

Now you can start the service management console (services.msc), and try to configure the launch of any service from behalf a user account: select service > Properties > Log on tab > Log on as > This account > select account and set a password.

A message appears:

The account .admin has been granted the Log On As A Service right.

group policy logon as a service

When using this policy, make sure that the user or group is not added to another policy called “Deny log on as a service”. In this policy, you can specify which user accounts are not allowed to run services. If the user is simultaneously added to the Deny log on as a service and Logon as a service policies, the deny policy will take precedence. Those, when the service starts, a message appears:

Services

Windows could not start the xxxx service on Local Computer.Error 1069: The service did not start due to a logon failure.

manage logon as a service group policy

It is advisable to minimize the number of user accounts to which you grant the “Logon as a service” permissions.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

2 comments

  1. It should really be noted that by creating a GPO, all existing entries in the “Log on as a service” policy will get overwritten with whatever is in the group policy. If you have SQL servers, or other servers that use service accounts that have already installed software/apps, those will be removed in place of what is in your group policy.

    1. Thank you. Literally NO ONE in Enterprise IT understands this about most of the stuff in the USer Rights Assignment of Group Policy. I’ve fixed so many outages due to admins settings this via GPO across many servers and overwriting what’s already set in there by x, y, z application that was installed who put accounts in there. Admins just blindly follow along application documentation or posts like this. I’m so tired of it.

      – Angry Sr. Systems Admin LOL

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.