Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Minimum rights required to run a windows service as a domain account [closed]

Tags:

permissions

windows-services

rights

Does anyone know what would be the minimum rights I would need to grant to a domain user account in order to run a windows service as that user?

For simplicity, assume that the service does nothing over and above starting, stopping, and writing to the "Application" event log - i.e. no network access, no custom event logs etc.

I know I could use the built in Service and NetworkService accounts, but it's possible that I may not be able to use these due to network policies in place.

like image 653
Paul Nearney Avatar asked Oct 07 '08 14:10

Paul Nearney

People also ask

How do I start Windows service without admin rights?

Set it manually: Go to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Edit the item "Log on as a service" and add your domain user there. Show activity on this post. Also you can use Service Security Editor for a GUI to configure all services.

Should service accounts have admin rights?

While a service account rarely requires Domain Admin level rights, they often are over-privileged as an easy way to overcome any potentially unforeseen operation challenges that may impact service continuity.

What account do Windows services run under?

The default user account on Windows under which services install is the "Local System" account. This account is fine for many Agent tasks, but there are some tasks that you might want to perform with your Agent that need different permissions than the Local System account has.

How do I check Windows service permissions?

To see the Service permissions you can use the "sc" command from a Windows command-line prompt. To compare permissions for a particular Service, run it on two systems.

2 Answers

Two ways:

  1. Edit the properties of the service and set the Log On user. The appropriate right will be automatically assigned.

  2. Set it manually: Go to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Edit the item "Log on as a service" and add your domain user there.

like image 175
spoulson Avatar answered Sep 19 '22 08:09

spoulson

I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.

like image 34
Chris Marasti-Georg Avatar answered Sep 21 '22 08:09

Chris Marasti-Georg
Sign in to Comment

Related questions

Installing a self-developed Windows Service
Asp.net core HttpsRedirectionMiddleware Failed to determine the https port for redirect
How can I run a Windows GUI application on as a service?
Console.WriteLine() inside a Windows Service?
Running a Windows Service in Console mode?
Hosting ASP.NET Core as Windows service
Desktop shortcut to restart a windows service
How to change user credentials of windows service from command line?
Installing a .NET service using InstallUtil
Run a Windows Service as a console app
How do I change the name of my Windows service?
How to write an URI string in App.Config
How can a Windows Service determine its ServiceName?
How to communicate with a windows service?
How to monitor Windows services [closed]
Installing a windows service from a Visual Studio Installer project
Install windows service without InstallUtil.exe
Windows Service to Azure?
How to send a custom command to a .NET windows Service from .NET code?
Self install Windows Service in .NET

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!