Minimum rights required to run a windows service as a domain account

Question

Does anyone know what would be the minimum rights I would need to grant to a domain user account in order to run a windows service as that user   For simplicity  assume that the service does nothing over and above starting  stopping  and writing to the  Application  event log - i e  no network access  no custom event logs etc   I know I could use the built in Service and NetworkService accounts  but it s possible that I may not be able to use these due to network policies in place

User · Answer

I do know that the account needs to have  Log on as a Service  privileges   Other than that  I m not sure   A quick reference to Log on as a Service can be found here  and there is a lot of information of specific privileges here

User · Answer

Two ways    Edit the properties of the service and set the Log On user   The appropriate right will be automatically assigned  Set it manually  Go to Administrative Tools -  Local Security Policy -  Local Policies -  User Rights Assignment   Edit the item  Log on as a service  and add your domain user there

User · Answer

Thanks for the links  Chris   I ve often wondered about the specific effects of privileges like  BypassTraverseChecking  but never bothered to look them up   I was having interesting problems getting a service to run and discovered that it didn t have access to it s files after the initial installation had been done by the administrator   I was thinking it needed something in addition to Logon As A Service until I found the file issue    Disabled simple file sharing  Temporarily made my service account an administrator  Used the service account to take ownership of the files  Remove service account from the administrators group  Reboot    During Take Ownership  it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree   Wasn t able to find a  give ownership  option to avoid making the service account an administrator temporarily  though     Anyway  thought I d post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights

User · Answer

I do know that the account needs to have  Log on as a Service  privileges   Other than that  I m not sure   A quick reference to Log on as a Service can be found here  and there is a lot of information of specific privileges here

User · Answer

BypassTraverseChecking  means that you can directly access any deep-level subdirectory even if you don t have all the intermediary access privileges to directories in between  i e  all directories above it towards root level

User · Answer

Two ways    Edit the properties of the service and set the Log On user   The appropriate right will be automatically assigned  Set it manually  Go to Administrative Tools -  Local Security Policy -  Local Policies -  User Rights Assignment   Edit the item  Log on as a service  and add your domain user there

User · Answer

Thanks for the links  Chris   I ve often wondered about the specific effects of privileges like  BypassTraverseChecking  but never bothered to look them up   I was having interesting problems getting a service to run and discovered that it didn t have access to it s files after the initial installation had been done by the administrator   I was thinking it needed something in addition to Logon As A Service until I found the file issue    Disabled simple file sharing  Temporarily made my service account an administrator  Used the service account to take ownership of the files  Remove service account from the administrators group  Reboot    During Take Ownership  it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree   Wasn t able to find a  give ownership  option to avoid making the service account an administrator temporarily  though     Anyway  thought I d post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights

User · Answer

Two ways    Edit the properties of the service and set the Log On user   The appropriate right will be automatically assigned  Set it manually  Go to Administrative Tools -  Local Security Policy -  Local Policies -  User Rights Assignment   Edit the item  Log on as a service  and add your domain user there

User · Answer

BypassTraverseChecking  means that you can directly access any deep-level subdirectory even if you don t have all the intermediary access privileges to directories in between  i e  all directories above it towards root level

User · Answer

Two ways    Edit the properties of the service and set the Log On user   The appropriate right will be automatically assigned  Set it manually  Go to Administrative Tools -  Local Security Policy -  Local Policies -  User Rights Assignment   Edit the item  Log on as a service  and add your domain user there

User · Answer

I do know that the account needs to have  Log on as a Service  privileges   Other than that  I m not sure   A quick reference to Log on as a Service can be found here  and there is a lot of information of specific privileges here

User · Answer

I do know that the account needs to have  Log on as a Service  privileges   Other than that  I m not sure   A quick reference to Log on as a Service can be found here  and there is a lot of information of specific privileges here

[windows-services] Minimum rights required to run a windows service as a domain account

Examples related to windows-services

Examples related to permissions

Examples related to rights