I am trying to use an Active Directory GPO to restrict the ability for users to stop a Windows System service. The Windows service currently runs under the LOCAL SYSTEM account. In the GPO setting for the service under the Security configuration I have allowed the SYSTEM builtin group account Full permissions and INTERACTIVE builtin group account Read permissions. The service is set to "Automatic" startup. However, now the service no longer starts on the users' computers and if they try to start the service they receive an "Access Denied" error message, which is expected since I've removed their ability to start or stop the service themselves. However, I still need the service to start automatically under the Local System account. What permissions am I missing from the GPO?