SyntaxFix

[windows-services] Minimum rights required to run a windows service as a domain account

Does anyone know what would be the minimum rights I would need to grant to a domain user account in order to run a windows service as that user?

For simplicity, assume that the service does nothing over and above starting, stopping, and writing to the "Application" event log - i.e. no network access, no custom event logs etc.

I know I could use the built in Service and NetworkService accounts, but it's possible that I may not be able to use these due to network policies in place.

This question is related to windows-services permissions rights

The answer is

Two ways:

  1. Edit the properties of the service and set the Log On user. The appropriate right will be automatically assigned.

  2. Set it manually: Go to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Edit the item "Log on as a service" and add your domain user there.

I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.

"BypassTraverseChecking" means that you can directly access any deep-level subdirectory even if you don't have all the intermediary access privileges to directories in between, i.e. all directories above it towards root level .

I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.

Thanks for the links, Chris. I've often wondered about the specific effects of privileges like "BypassTraverseChecking" but never bothered to look them up.

I was having interesting problems getting a service to run and discovered that it didn't have access to it's files after the initial installation had been done by the administrator. I was thinking it needed something in addition to Logon As A Service until I found the file issue.

  1. Disabled simple file sharing.
  2. Temporarily made my service account an administrator.
  3. Used the service account to take ownership of the files.
  4. Remove service account from the administrators group.
  5. Reboot.

During Take Ownership, it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree.

Wasn't able to find a "give ownership" option to avoid making the service account an administrator temporarily, though.

Anyway, thought I'd post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights.

I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.

"BypassTraverseChecking" means that you can directly access any deep-level subdirectory even if you don't have all the intermediary access privileges to directories in between, i.e. all directories above it towards root level .

Source: Stackoverflow.com

Examples related to windows-services

Can't start Tomcat as Windows Service Error 1053 the service did not respond to the start or control request in a timely fashion How to solve "The specified service has been marked for deletion" error Service will not start: error 1067: the process terminated unexpectedly How to get all Windows service names starting with a common word? Windows service with timer Windows service on Local Computer started and then stopped error Windows service start failure: Cannot start service from the command line or debugger "Automatic" vs "Automatic (Delayed start)" How to install node.js as windows service?

Examples related to permissions

On npm install: Unhandled rejection Error: EACCES: permission denied Warnings Your Apk Is Using Permissions That Require A Privacy Policy: (android.permission.READ_PHONE_STATE) ActivityCompat.requestPermissions not showing dialog box PostgreSQL: role is not permitted to log in Android 6.0 multiple permissions Storage permission error in Marshmallow Android M Permissions: onRequestPermissionsResult() not being called pip install failing with: OSError: [Errno 13] Permission denied on directory SSH Key: “Permissions 0644 for 'id_rsa.pub' are too open.” on mac changing the owner of folder in linux

Examples related to rights

Minimum rights required to run a windows service as a domain account

Tags

Singleton Geotiff Sys-refcursor Global.asa Linq-to-nhibernate Groovy-console Algebra Plsqldeveloper Wcf Embedded-server Dbgeng Rostering Subclass Flickr Views Virtual-machine Textblock Signing Jsr Auto-lock Line-count Textarea Tabcontainer Date-comparison Assignment-operator Jakarta-mail Bitbucket-api Keyref Linux-toolchain Contextswitchdeadlock Hardware-interface Jikes Data-export Arrow-keys Werkzeug Excel-2010 Reparenting Disparity-mapping Jedi Updatepanel Colorbox Hostname Bibliography Web-config Code-folding Assetslibrary Ssp Google-scholar Pycharm Suexec Rjava Wildcard-mapping Delayedvariableexpansion Flashback Device-detection Iasyncresult Vmware-tools Urlloader Mysql-real-escape-string Normal-distribution Recording 2-digit-year Outgoing-mail Resolution External-dependencies Circular-buffer Netcat Mtom Motorola Http-status-code-401 Mysql-error-1214 Pdfkit Slim Ibatis Bevelled Textchanged Database-versioning Named-pipes Pastebin Rule-engine Termination Subtext Makecert Textutils Nsuinteger Evented-io Static-code-analysis Git-push Framebusting Couchdb Lexical-closures Synchronized-block On-clause Strassen European-data-format Pyinstaller Flashpaper Mobile-robots Mdt Android-listview