- 5 minutes to read

Logon As A Service

NOTE: Changes made on a Domain Controller may take some time to replicate with other domain controllers in your network. You may need to log out and login. Make sure to first issue the following command gpupdate /force from an elevated command prompt on the Windows Server

Nodinite has many Windows Services that you install on one or more servers in one or more instances.

Depending on the features provided by these Nodinite services, different access rights are required on involved Windows Servers, databases and queues to name a few. On this page, you will learn about what least privilege is required for any Windows Service to run on a Windows Server.

Many Nodinite services uses TCP Port 8000 and you must ensure this port is open for traffic

Stay secure with least privileges

We, the people behind Nodinite have designed most of our Monitoring Agents to run with minimum permissions (least privileges) in mind.

  • Each Windows Service can run with the same account or you can use different accounts for each instance installed
    • Having separate accounts means additional administration
    • Having separate accounts means you can fine-tune as needed
  • Some Monitoring Agents require the account being part of the local administrators group. Make sure to review the prerequisites page for each agent to learn more about required access rights
  • Make sure to use service accounts and NOT accounts assigned and used by physical persons
  • Make sure the service accounts have the 'Password never expires policy'
  • Make sure to document the accounts and passwords in your safe and secured shared password manager

What are the minimum user permissions required to install a Windows service?

You must be a Local Administrator to be able to install the Nodinite Windows Services

Only processes with Administrative privileges can open handles to the SCM (Service Control Manager) that can be used by the CreateService and LockServiceDatabase functions (see the following MSDN 'Service Security and Access Rights' article for details).

What are the minimum user permissions required to run a Windows service?

The minimum user permissions required to run a Windows service is the Log on as a service right which is a local policy set by an Local Administrator on the server level or domain level using group policies.

This security setting allows a security principal to Log on as a service. Windows Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in right to log on as a service. Any service that runs under a different user account must be assigned the Log on as a service right.

Note: The default setting in Windows is None (!). This means that the account needs to be either a Local Administrator or manually be assigned this right

How to add a service account to a local policy

  1. Open Administrative Tools in Control Panel
    Administrative Tools

  2. Open Local Security Policy
    LocalSecurity Policy

  3. Add the account to use for the policy 'Log on as a service'. The account, if it's already being in use, needs to logon/restart to get the new set of privileges.
    Add User

Nodinite Service Accounts are used for:

Note: The AppPool accounts are not required to be part of the Local Administrator group. If the accounts used are not Local Administrator, then add them to the IIS_IUSRS group instead and make sure the accounts have 'Read/Change/Write' permissions on all Web Application folders installed.

Local Administrator

In this article, you will find the step-by-step guidance on how to add an account to the Local Administrator group on a Windows Server. The steps outlined in this guide may need to be repeated on all Windows Servers hosting Nodinite Core Services and some of the Monitoring Agents that require elevated privileges.

  1. Open the Server Manager
  2. Click Tools in the right corner of Server Manager and then select Computer Management
    Computer Management
  3. Expand Local Users and Groups and select Groups. Double click on the Administrators group
    Local Users and Groups
  4. Add the AD service accounts that should be part of the highly privileged local Administrators group
    Administrators Properties

Add Service Account on Domain Controller

You need to be a member of the Domain Admins group to add AD accounts to the local Administrators group locally on the Domain Controller

If you need to work on the Domain Controller, you cannot find the Local Users and Groups in the 'Computer Management'. In the case you want to add any account to the local Administrator group on the domain controller machine, open Active Directory Users and Computer or from an Administrative command prompt, you can execute the following command:

 net localgroup Administrators /add {domain}\{user} 

Replace {domain}\{user} with the account to be added (without the brackets)

WARNING: Adding a service or user account to the local Administrators group grants the account permissions to make changes in your Active Directory environment, not just the local server

Add Service Account on Read Only Domain Controller (RODC)

If your Domain Controller is installed as a Read-Only Domain Controller, then you must follow the steps outlined Here in order to add the service account(s) local admin rights.


Next Step

Troubleshooting
Install Nodinite

Web Client
Release Notes
Configuration Database
Log Databases