locked
How do I configure a user account to have ‘logon as a service’ permissions? RRS feed

  • Question

  • How do I configure a user account to have ‘logon as a service’ permissions?

    This is for CRM application use and need to enable permission via GPO


    Microsoft TechNet Forum Bandara
    Tuesday, February 15, 2011 11:01 AM

Answers

  • Hi,

     

    It seems that you know the group policy “Log on as a service” can achieve your goal, so I would like to confirm what do you want to ask?

     

    If you do not know the path of the group policy “Log on as a service” in domain, you may expend Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service in GPMC.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, February 16, 2011 6:32 AM

All replies

  • And I know how to do it in local GPO
    When installing a service to run under a domain user account, the account must have the right to logon as a service on the local machine. This logon right strictly applies only to the local computer and must be granted in the Local Security Policy.

    Perform the following to edit the Local Security Policy of the computer you want to define the ‘logon as a service’ permission:

    1.Logon to the computer with administrative privileges.
    2.Open the ‘Administrative Tools’ and open the ‘Local Security Policy’
    3.Expand ‘Local Policy’ and click on ‘User Rights Assignment’
    4.In the right pane, right-click ‘Log on as a service’ and select properties.
    5.Click on the ‘Add User or Group…’ button to add the new user.
    6.In the ‘Select Users or Groups’ dialogue, find the user you wish to enter and click ‘OK’
    7.Click ‘OK’ in the ‘Log on as a service Properties’ to save changes.
    Notes:

    •Ensure that the user which you have added above is not listed in the ‘Deny log on as a service’ policy in the Local Security Policy.


    Microsoft TechNet Forum Bandara
    Tuesday, February 15, 2011 11:04 AM
  • Hi,

     

    It seems that you know the group policy “Log on as a service” can achieve your goal, so I would like to confirm what do you want to ask?

     

    If you do not know the path of the group policy “Log on as a service” in domain, you may expend Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service in GPMC.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, February 16, 2011 6:32 AM
  • Problem is - if you use this GPO to grant a user the "log on as a service" right, it obliterates all the other accounts that previously had that right when the policy applies.  On next reboot, all kinds of stuff mysteriously doesn't work.

    How useless is that?


    Once more into the breach, dear friends.

    Saturday, May 31, 2014 4:16 AM
  • Hi, Corndog

    Has anyone found a solution for the above yet?

    Thanks

    Tuesday, October 7, 2014 7:49 AM
  • Problem is - if you use this GPO to grant a user the "log on as a service" right, it obliterates all the other accounts that previously had that right when the policy applies.  On next reboot, all kinds of stuff mysteriously doesn't work.

    How useless is that?


    Once more into the breach, dear friends.

    Ditto, corndog!!! I would like to simply "append" a few users or groups to this right... but I cannot find anything. The only other way to give my user the same level of privileges (and unfortunately a whole bunch more) is with domain admin. :(

    Monday, February 22, 2016 8:37 PM
  • >     Problem is - if you use this GPO to grant a user the "log on as a
    >     service" right, it obliterates all the other accounts that
    >     previously had that right when the policy applies.  On next reboot,
    >     all kinds of stuff mysteriously doesn't work.
     
    This is why you do NOT grant privs to users, but to groups. Either
    domain groups or - even easier to manage - local groups.
     
    > Ditto, corndog!!! I would like to simply "append" a few users or groups
    > to this right...
     
    ...and for that purpose, simply add your users and groups to the one
    main group that stands for the assigned priv.
    • Edited by Martin Binder Tuesday, February 23, 2016 4:50 PM ....
    Tuesday, February 23, 2016 4:49 PM
  • Martin,

    Thanks for your response. Unfortunately, I am trying to avoid adding service (user) accounts to Domain Admins just to give them full access to machine, which happens to include logon as a service. 

    When I Generate RSOP data for my machine, there are no groups explicitly defined via GPO with the "Log on as a service" right. However, when I look in the Local Security Policy there are a number of local/virtual accounts listed ("NT SERVICE\ALL SERVICES", "NT VIRTUAL MACHINE\Virtual Machines, etc"). Therefore, I must assume that the only AD groups with this permission are builtin privileged groups which we should be avoided like the plague.

    Is there absolutely no way to grant a user or group rights to "logon as a service" to a select number of machines, say, a group of web servers or SQL servers, and not OVERWRITE the default accounts and groups that those machines might natively grant this right to?

    If not, the only remedy for this user (it happens to be the authentication credential for Languard 2015) is to add it to the Domain Admins group, then use GPO to DENY every OTHER right available, to get the same results that myself and so many other users are attempting to achieve.

    FYI, the Languard Support documentation provides that this right should be granted via GPO, which we learned the hard way, will OVERWRITE all existing users/groups with the right to logon as a service.... Every other service running crashed hard... but Languard worked great!!! ;) 

    http://www.gfi.com/support/products/Error-The-service-did-not-start-due-to-a-logon-failure-when-deploying-patches

    Thanks

    Wednesday, March 9, 2016 11:57 PM
  • > or SQL servers, and not OVERWRITE the default accounts and groups that
    > those machines might natively grant this right to?
     
    Partially... Create a new local group "seLogonServicePrivilege" or
    whatever name you like. Grant this group "Logon as service" - through
    Domain GPO. Make sure in this domain GPO to add all "already present"
    accounts from secpol.msc.
     
    This enables you to simply add new domain users or groups to the local
    group (through group policy preferences "local users and groups").
     
    There definitely is no "completely convenient" way...
     
    If you are capable of german (or google translates well enough):
     
     
    • Proposed as answer by dguirl Wednesday, March 16, 2016 8:56 PM
    Thursday, March 10, 2016 9:46 AM
  • Martin, thank you for the quick reply. At first glance, your blog post definitely sounds like a possible solution. I will continue to translate and digest, and then test.

    The main thing i'm still worried about is the problem of overwriting (not appending) the locally-provided rights (i.e. NT Service\All Services) when I set the Domain GPO to add the new local group to the "logon as a service" right. If this is only partially successful, then i'll still have to collect all the local users/groups that may be on any machine in the domain and put them in this new local group that i am created.

    FYI Current testing has shown that I didn't just "burn" the one user account from logon as a service right, but ALL domain accounts, unless the service is configured locally on the server it is intended to run on. I tried to remedy the problem with a new Domain Admin account, assuming domain admins have the right to logon as a service, but it appears it will not work either. 

    I'll let you know if I am successful with your blog post solution, and if so, propose as the answer to the problem. 

    Monday, March 14, 2016 9:25 PM
  • > The main thing i'm still worried about is the problem of overwriting
    > (not appending) the locally-provided rights (i.e. NT Service\All
     
    There's no solution for that problem. If you go with the local group I
    suggested, you still need to craft a "initial" list of accounts that are
    required to logon as service.
     
    But at least, if you finished this, and you need to add new accounts
    afterwards - THIS gets done really easy then.
     
     
    Tuesday, March 15, 2016 8:58 AM
  • Martin,

    I am happy to report that preliminary testing is successful! I have created the GPO as per your instructions in your blog, and was able to add three "NT Authority" accounts into the local group: SYSTEM, NETWORK SERVICE, and LOCAL SERVICE. I also added a Domain group ("Domain LogonAsService") as a member of the local group. 

    My initial test to 10 machines proved that the local security policy was updated from containing "NT Authority\ALL SERVICES" to now only including "LogonAsService" (the new local group).

    I am now pushing the GPO to roughly 60 machines are working fine. 

    My next test is to push this to some machines that have some local services like SQL test machines and Hyper-V hosts. My only remaining concern is whether i'm "missing" anything that might be included in "NT Authority\ALL SERVICES" other than the Network Service and Local Service accounts. Only time ( and testing ) will tell.

    Anyway, THANKS AGAIN! 

    Wednesday, March 16, 2016 8:55 PM
  • Good show, chap!
    Sunday, January 22, 2017 1:14 AM
  • Awesome, this works!

    In short, my SQL Server services were all using "NT Service\{service}" accounts.  I added these to local group "LocalSQLServices" on the SQL Server system and granted 'Log on as a service' rights to "LocalSQLServices" in the domain's security policy.  ("LocalSQLServices" was my choice - the name doesn't actually matter.) There was no need to specify the SQL Server's host name in the domain policy (you can't anyway, it seems).

    Thank you for helping me get my systems working again!

    Monday, July 24, 2017 3:33 PM
  • > or SQL servers, and not OVERWRITE the default accounts and groups that
    > those machines might natively grant this right to?
     
    Partially... Create a new local group "seLogonServicePrivilege" or
    whatever name you like. Grant this group "Logon as service" - through
    Domain GPO. Make sure in this domain GPO to add all "already present"
    accounts from secpol.msc.
     
    This enables you to simply add new domain users or groups to the local
    group (through group policy preferences "local users and groups").
     
    There definitely is no "completely convenient" way...
     
    If you are capable of german (or google translates well enough):
     
     
    NTRights.exe from the Windows Server 2003 Admin Tools still works fine and can append the list of users already existing in "Logon as service" or any other user right for that matter.
    Wednesday, January 2, 2019 2:28 PM