Run a Windows Service with a Non-Admin User Account

PowerADM.com / Windows / Run a Windows Service with a Non-Admin User Account

In order to safely run third-party services in Windows, you can use a user account that doesn’t have local administrator permissions. To do this, you must change the local security policy settings to allow the user to log on as a service.

By default, Windows services run in the context of a privileged account (System, Local Service, or Network Service). To limit the service’s permissions, you can configure it to run as a regular (non-admin) user.

To change the user account under which a service runs, use the Services Management Console (services.msc).

    1. Start the console, locate the required service, and open its properties
    2. Go to the Log On tab. By default, the service runs as a Local System.
    3. To run the service as a user, select the This account option and specify the account name and password. Run Windows service a Windows user
    4. A message appears when you save the settings:

The account svc_user1 has been granted the Log On As A Service right.

The account svc_user1 has been granted the Log On As A Service right

Windows has automatically granted this user permission to run a service. To check this, open the Local GPO Editor (gpedit.msc).

Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and find the Log on as a service option.

GPO option: Log on as a service

This policy allows certain user accounts to run a process on their behalf as a Windows service. When such a process starts, it registers itself as a service. The user does not need to be logged on locally.

As you can see, the user has been added to this local security policy.

You can grant permission to other users or groups to start services. Click the Add User or Group button and specify the user/group name.

To update GPO settings, run the command:

gpupdate /force

There is also a policy to deny services from running on behalf of specific users or groups. This policy is located in the same GPO section and is called Deny log on as a service. The deny policy has a higher priority. Therefore, if you add a user to both the Deny Logon as Service and Logon as Service policies, that user cannot be used to run the service as. Deny log on as a service

To grant the Logon as a service right from the command prompt, you can use the ntrights.exe tool (part of the Windows Server 2003 Resource Kit). It is available for download from the link in the WebArchive.

After installing the Resource Kit, you can grant the user permission to run services by using the command

ntrights.exe +r SeServiceLogonRight -u RESLAB\svc_user1

This adds the user account to the local security policy.

To remove user privileges:

ntrights.exe -r SeServiceLogonRight -u RESLAB\svc_user1

Running services with non-privileged user rights can improve Windows security and stability. Obviously, you need to minimize the number of accounts that you grant Logon as service privileges to.

Leave a Reply

Your email address will not be published. Required fields are marked *