Brian Cryer

Cry How To...

How to grant log-on-as-a-service

How to grant log-in-as-a-service is different depending on whether this is for a standalone computer or for a computer which is part of a Windows domain (which includes the domain servers themselves).

Contents:

How to grant log-on-as-a-service on a single local computer

This procedure will allow you to grant log-on-as-a-service to an an account (or group) which will run on a single computer - be it a standalone computer or one which is part of a domain.

To grant an account the log-in-as-a-service on a single computer:

  1. Log into the computer using an account with local administrative rights.
  2. Start > Run > secpol.msc
    secpol.msc will open up the Local security policy for the pc. You will need to OK the confirmation from User Account Control for it to open.
  3. Local Security Policy dialog, expand Local Policies and then select User Rights Assignment.
  4. In the right hand pane, scroll down to Log on as a service, and double click it to open its properties. This will show you a list of all the accounts which are able to log-on-as-a-service.
  5. Click [Add User or Group...], and you can then use the dialog which opens to select a user or group to which you want to grant log-on-as-a-service.

    This option is greyed out on Domain Controllers. For these instead look at using the local group policy (below).

  6. Don't forget to [OK] to close the "Log on as a service Properties" once you have added the user.

How to grant log-on-as-a-service via local group policy

This procedure will allow you to grant log-on-as-a-service to an account (or group) using the local group policy.

  1. Start > Run > gpedit.msc
    gpedit.msc will open up the Local Group Policy Editor. You will need to OK the confirmation from User Account Control for it to open.

    You can edit the Local Group Policy for another computer on the network. To do this don't use gpedit.msc but instead run mmc (to open up the  Microsoft Management Console), then File > Add/Remove Snap-in ... > Highlight Group Policy Object Editor > Click [Add >] and at that point you can select whether you want to edit the group policy object for the local computer or you can browser for another computer. The rest of the steps below are then the same.

  2. Navigate to:
    >Local Computer Policy
     > Computer Configuration
      > Windows Settings
       > Security Settings
        > Local Policies
         > User Rights Assignment
  3. In the right hand pane, scroll down to Log on as a service, and double click it to open its properties. This will show you a list of all the accounts which are able to log-on-as-a-service.
  4. Click [Add User or Group...], and you can then use the dialog which opens to select a user or group to which you want to grant log-on-as-a-service.
  5. Don't forget to [OK] to close the "Log on as a service Properties" once you have added the user.

How to grant log-on-as-a-service on a domain controller

To grant log-on-as-a-service on a domain controller, it must be granted by the default domain controller Group Policy Management:

  1. Start > Run > gpmc.msc
    This will open up the Group Policy Management console.
  2. Navigate down to:
    > Group Policy Management
     > Forest: your-domain-forest
      > Domains
       > your-domain
        > Group Policy Objects
  3. In the right hand pane, right click on "Default Domain Controllers Policy" and select "Edit", this will open up the Group Policy Management Editor. (Don't click it as this will not open up the GPO editor.)
  4. Navigate to:
    > Default Domain Controllers Policy
     > Computer Configuration
      > Policies
       > Windows Settings
        > Security Settings
         > Local Policies
          > User Rights Assignment
  5. In the right hand pane, scroll down to Log on as a service, and double click it to open its properties. This will show you a list of all the accounts which are able to log-on-as-a-service.
  6. Click [Add User or Group...], and you can then use the dialog which opens to select a user or group to which you want to grant log-on-as-a-service.
  7. Don't forget to [OK] to close the "Log on as a service Properties" once you have added the user.

Be aware that this will grant the log-on-as-a-service to all domain controllers.

These notes have been tested with Windows 2008 and Windows Vista.

About the author: is a dedicated software developer and webmaster. For his day job he develops websites and desktop applications as well as providing IT services. He moonlights as a technical author and consultant.