Allow local user to run as service

Posted on 2009-05-01
Last Modified: 2012-05-06
One of my services, an IpSwitch WS_FTP Server and SSH server both have services that have not been restarting correctly.  I have traced it down to being the sort of error that is being caused by group policy refreshing.

Those two services depend on the PostgreSQL service to be running, under the same user account.

That user account is a local account on the server, so after a reboot, the services do not start (although set to automatic).  If I go to the properties and type in the local user account and password, then I get the message saying "User" has been granted the log on as service right.

The problem is everytime the server reboots or group policy refreshes, I have to manually start those services.

How do I set this up correctly so the server always knows to allow this local user to start a service?

Question by:ITDeptAtPCS
    LVL 15

    Accepted Solution

    Change it to a domain account, instead of a local account, and then give it the right to logon as a service in a group policy that covers the server.

    If you're concerned about the account being used on other server, then set the account in AD so that it's only allowed to logon on the server that it's running the services.
    LVL 31

    Assisted Solution

    by:Henrik Johansson
    This is a GPO issue. When entering the user/password, the user right is granted, but will as noticed be reset next time the server is rebooted.

    Create or edit GPO linked to OU with the server.
    When editing the GPO, browse down to 'Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment'
    Configure the 'Log on as service' and add the users/groups that shall be granted the right. Keep in mind that the policy setting is overriding the setting configured in other GPOs from higher level in OU-structure, so any granted user/group from the other GPO nead to be re-entered if they shall keep the right.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Suggested Solutions

    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now