In a typical directory-enabled service, this means the service installer should create a domain user account for the service and grant that account the specific access rights and privileges required by the service at run time. A service should only run under the LocalSystem account if the service requires administrative privileges or must act as part of the operating system on the local computer.
Be aware that the service installer should, by default, set up the service to run under a domain user account. To run the service under the LocalSystem account, the service installer should query the administrator for permission to do so. For more information about descriptions, advantages, and disadvantages of each account type, see:. Ultimately, administrators on the system where the service is installed have control over the service's logon account.
For security reasons, some administrators may not allow you to install your service under the LocalSystem account. Your service must be able to run under a domain user account. As a programmer, you can exercise some control over your service's logon account.
Your service installer specifies the service's logon account when it calls the CreateService function to install the service on a host computer. Your installer can suggest a default logon account, but it should allow an administrator to specify the actual account. After a service is installed, there are maintenance tasks that relate to your service logon account. Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
Privacy policy. This article describes the recommended practices, location, values, policy management, and security considerations for the Log on as a service security policy setting. This policy setting determines which service accounts can register a process as a service.
Running a process under a service account circumvents the need for human intervention. By default this setting is Network Service on domain controllers and Network Service on stand-alone servers. The following table lists the actual and effective default policy values.
The policy's property page also lists default values. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. The policy setting Deny logon as a service supersedes this policy setting if a user account is subject to both policies.
Group Policy settings are applied in the following order, which will overwrite settings on the local device at the next Group Policy update:.
0コメント