How do I specify NetworkService or LocalService for a Windows Service on a Domain Controller?
This question is a not duplicate of these existing questions:
AUTHORITYNetworkService does not exist (question is for Windows Server 2003
How can I run a process as "NT AuthorityNetworkService"? (this is a scripting question)
https://stackoverflow.com/questions/34966029/adding-permissions-for-nt-authority-networkservice (this is about adding anNT AUTHORITY
principal to an ACL, not selecting a principal in the Find User GUI)
I have a Windows Service configured on different computers:
- A workstation (non-domain) computer (running Windows 10)
- A workstation (non-domain) Windows Server (running Windows Server 2016)
- A domain workstation (running Windows 10)
- A domain member server (running Windows Server 2016)
- A domain controller (running Windows Server 2016)
Domain-joined computers and member servers:
In all computers except the domain controller, the services.msc
> Service Properties > Log On property sheet's "Select User" pop-up lets me select the NT AUTHORITY
built-in principals NETWORK SERVICE
and LOCAL SERVICE
(aka NT AUTHORITYNetworkService
and NT AUTHORITYLocalService
).
If I ignore the Search Users window and just type "network service
" into the Select User window and click "Check Names" then it's correctly resolved to NETWORK SERVICE
:
Domain Controllers:
However, on this Windows Server 2016 domain controller, the Select User popup does not let me specify any local computer name (which makes sense: the local computer's security system becomes the domain security system).
...which means it's not possible to resolve, search for or select NETWORK SERVICE
or LOCAL SERVICE
:
When I type it in directly into the Log On tab then I get this error:
The account name is invalid or does not exist, or the password is invalid for the account name specified.
I note that on a domain controller, the "Select User or Service Account" window only lets me select either "Service Accounts" or "Users" and not "Built-in security principals".
Domain-joined workstation or member-server:
Domain controller (Windows Server 2012 R2, but it's the same on 2016):
I know I can set the Service Logon Account by using sc config
or editing the registry manually (or by typing "Local Service
" or "Network Service
" into the "This account:" textbox) but what about other situations where I'd be using the "Select User or Service Account" dialog box outside of Services.msc on a domain controller?
domain service users
add a comment |
This question is a not duplicate of these existing questions:
AUTHORITYNetworkService does not exist (question is for Windows Server 2003
How can I run a process as "NT AuthorityNetworkService"? (this is a scripting question)
https://stackoverflow.com/questions/34966029/adding-permissions-for-nt-authority-networkservice (this is about adding anNT AUTHORITY
principal to an ACL, not selecting a principal in the Find User GUI)
I have a Windows Service configured on different computers:
- A workstation (non-domain) computer (running Windows 10)
- A workstation (non-domain) Windows Server (running Windows Server 2016)
- A domain workstation (running Windows 10)
- A domain member server (running Windows Server 2016)
- A domain controller (running Windows Server 2016)
Domain-joined computers and member servers:
In all computers except the domain controller, the services.msc
> Service Properties > Log On property sheet's "Select User" pop-up lets me select the NT AUTHORITY
built-in principals NETWORK SERVICE
and LOCAL SERVICE
(aka NT AUTHORITYNetworkService
and NT AUTHORITYLocalService
).
If I ignore the Search Users window and just type "network service
" into the Select User window and click "Check Names" then it's correctly resolved to NETWORK SERVICE
:
Domain Controllers:
However, on this Windows Server 2016 domain controller, the Select User popup does not let me specify any local computer name (which makes sense: the local computer's security system becomes the domain security system).
...which means it's not possible to resolve, search for or select NETWORK SERVICE
or LOCAL SERVICE
:
When I type it in directly into the Log On tab then I get this error:
The account name is invalid or does not exist, or the password is invalid for the account name specified.
I note that on a domain controller, the "Select User or Service Account" window only lets me select either "Service Accounts" or "Users" and not "Built-in security principals".
Domain-joined workstation or member-server:
Domain controller (Windows Server 2012 R2, but it's the same on 2016):
I know I can set the Service Logon Account by using sc config
or editing the registry manually (or by typing "Local Service
" or "Network Service
" into the "This account:" textbox) but what about other situations where I'd be using the "Select User or Service Account" dialog box outside of Services.msc on a domain controller?
domain service users
add a comment |
This question is a not duplicate of these existing questions:
AUTHORITYNetworkService does not exist (question is for Windows Server 2003
How can I run a process as "NT AuthorityNetworkService"? (this is a scripting question)
https://stackoverflow.com/questions/34966029/adding-permissions-for-nt-authority-networkservice (this is about adding anNT AUTHORITY
principal to an ACL, not selecting a principal in the Find User GUI)
I have a Windows Service configured on different computers:
- A workstation (non-domain) computer (running Windows 10)
- A workstation (non-domain) Windows Server (running Windows Server 2016)
- A domain workstation (running Windows 10)
- A domain member server (running Windows Server 2016)
- A domain controller (running Windows Server 2016)
Domain-joined computers and member servers:
In all computers except the domain controller, the services.msc
> Service Properties > Log On property sheet's "Select User" pop-up lets me select the NT AUTHORITY
built-in principals NETWORK SERVICE
and LOCAL SERVICE
(aka NT AUTHORITYNetworkService
and NT AUTHORITYLocalService
).
If I ignore the Search Users window and just type "network service
" into the Select User window and click "Check Names" then it's correctly resolved to NETWORK SERVICE
:
Domain Controllers:
However, on this Windows Server 2016 domain controller, the Select User popup does not let me specify any local computer name (which makes sense: the local computer's security system becomes the domain security system).
...which means it's not possible to resolve, search for or select NETWORK SERVICE
or LOCAL SERVICE
:
When I type it in directly into the Log On tab then I get this error:
The account name is invalid or does not exist, or the password is invalid for the account name specified.
I note that on a domain controller, the "Select User or Service Account" window only lets me select either "Service Accounts" or "Users" and not "Built-in security principals".
Domain-joined workstation or member-server:
Domain controller (Windows Server 2012 R2, but it's the same on 2016):
I know I can set the Service Logon Account by using sc config
or editing the registry manually (or by typing "Local Service
" or "Network Service
" into the "This account:" textbox) but what about other situations where I'd be using the "Select User or Service Account" dialog box outside of Services.msc on a domain controller?
domain service users
This question is a not duplicate of these existing questions:
AUTHORITYNetworkService does not exist (question is for Windows Server 2003
How can I run a process as "NT AuthorityNetworkService"? (this is a scripting question)
https://stackoverflow.com/questions/34966029/adding-permissions-for-nt-authority-networkservice (this is about adding anNT AUTHORITY
principal to an ACL, not selecting a principal in the Find User GUI)
I have a Windows Service configured on different computers:
- A workstation (non-domain) computer (running Windows 10)
- A workstation (non-domain) Windows Server (running Windows Server 2016)
- A domain workstation (running Windows 10)
- A domain member server (running Windows Server 2016)
- A domain controller (running Windows Server 2016)
Domain-joined computers and member servers:
In all computers except the domain controller, the services.msc
> Service Properties > Log On property sheet's "Select User" pop-up lets me select the NT AUTHORITY
built-in principals NETWORK SERVICE
and LOCAL SERVICE
(aka NT AUTHORITYNetworkService
and NT AUTHORITYLocalService
).
If I ignore the Search Users window and just type "network service
" into the Select User window and click "Check Names" then it's correctly resolved to NETWORK SERVICE
:
Domain Controllers:
However, on this Windows Server 2016 domain controller, the Select User popup does not let me specify any local computer name (which makes sense: the local computer's security system becomes the domain security system).
...which means it's not possible to resolve, search for or select NETWORK SERVICE
or LOCAL SERVICE
:
When I type it in directly into the Log On tab then I get this error:
The account name is invalid or does not exist, or the password is invalid for the account name specified.
I note that on a domain controller, the "Select User or Service Account" window only lets me select either "Service Accounts" or "Users" and not "Built-in security principals".
Domain-joined workstation or member-server:
Domain controller (Windows Server 2012 R2, but it's the same on 2016):
I know I can set the Service Logon Account by using sc config
or editing the registry manually (or by typing "Local Service
" or "Network Service
" into the "This account:" textbox) but what about other situations where I'd be using the "Select User or Service Account" dialog box outside of Services.msc on a domain controller?
domain service users
domain service users
edited 13 mins ago
Dai
asked 7 hours ago
DaiDai
1,04361635
1,04361635
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Based on your final screenshot, you left out the space in the account name. Try Local Service
instead.
If that doesn't work, you can do it on the command line as shown here, I would write this as:
sc config ServiceName obj= "NT AUTHORITYLocal Service" password= ""
Note that in the command line version either LocalService
or Local Service
is acceptable, but in the GUI only the latter works. I'm not sure why, but that's the way it is.
1
In the command-linesc config
I had to useobj= "NT AUTHORITYLocal Service"
. Other variations, such asobj= "LocalService"
orobj= "Local Service"
don't work. Don't forget the space between the=
and"
!
– Dai
10 mins ago
add a comment |
You need to add "Built-in security principal" to your Object Types when doing this on the Domain Controller. As it is, you're only searching for User and Service Account Object Types.
"Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options.
– Dai
2 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f952509%2fhow-do-i-specify-networkservice-or-localservice-for-a-windows-service-on-a-domai%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Based on your final screenshot, you left out the space in the account name. Try Local Service
instead.
If that doesn't work, you can do it on the command line as shown here, I would write this as:
sc config ServiceName obj= "NT AUTHORITYLocal Service" password= ""
Note that in the command line version either LocalService
or Local Service
is acceptable, but in the GUI only the latter works. I'm not sure why, but that's the way it is.
1
In the command-linesc config
I had to useobj= "NT AUTHORITYLocal Service"
. Other variations, such asobj= "LocalService"
orobj= "Local Service"
don't work. Don't forget the space between the=
and"
!
– Dai
10 mins ago
add a comment |
Based on your final screenshot, you left out the space in the account name. Try Local Service
instead.
If that doesn't work, you can do it on the command line as shown here, I would write this as:
sc config ServiceName obj= "NT AUTHORITYLocal Service" password= ""
Note that in the command line version either LocalService
or Local Service
is acceptable, but in the GUI only the latter works. I'm not sure why, but that's the way it is.
1
In the command-linesc config
I had to useobj= "NT AUTHORITYLocal Service"
. Other variations, such asobj= "LocalService"
orobj= "Local Service"
don't work. Don't forget the space between the=
and"
!
– Dai
10 mins ago
add a comment |
Based on your final screenshot, you left out the space in the account name. Try Local Service
instead.
If that doesn't work, you can do it on the command line as shown here, I would write this as:
sc config ServiceName obj= "NT AUTHORITYLocal Service" password= ""
Note that in the command line version either LocalService
or Local Service
is acceptable, but in the GUI only the latter works. I'm not sure why, but that's the way it is.
Based on your final screenshot, you left out the space in the account name. Try Local Service
instead.
If that doesn't work, you can do it on the command line as shown here, I would write this as:
sc config ServiceName obj= "NT AUTHORITYLocal Service" password= ""
Note that in the command line version either LocalService
or Local Service
is acceptable, but in the GUI only the latter works. I'm not sure why, but that's the way it is.
answered 4 hours ago
Harry JohnstonHarry Johnston
3,67412037
3,67412037
1
In the command-linesc config
I had to useobj= "NT AUTHORITYLocal Service"
. Other variations, such asobj= "LocalService"
orobj= "Local Service"
don't work. Don't forget the space between the=
and"
!
– Dai
10 mins ago
add a comment |
1
In the command-linesc config
I had to useobj= "NT AUTHORITYLocal Service"
. Other variations, such asobj= "LocalService"
orobj= "Local Service"
don't work. Don't forget the space between the=
and"
!
– Dai
10 mins ago
1
1
In the command-line
sc config
I had to use obj= "NT AUTHORITYLocal Service"
. Other variations, such as obj= "LocalService"
or obj= "Local Service"
don't work. Don't forget the space between the =
and "
!– Dai
10 mins ago
In the command-line
sc config
I had to use obj= "NT AUTHORITYLocal Service"
. Other variations, such as obj= "LocalService"
or obj= "Local Service"
don't work. Don't forget the space between the =
and "
!– Dai
10 mins ago
add a comment |
You need to add "Built-in security principal" to your Object Types when doing this on the Domain Controller. As it is, you're only searching for User and Service Account Object Types.
"Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options.
– Dai
2 hours ago
add a comment |
You need to add "Built-in security principal" to your Object Types when doing this on the Domain Controller. As it is, you're only searching for User and Service Account Object Types.
"Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options.
– Dai
2 hours ago
add a comment |
You need to add "Built-in security principal" to your Object Types when doing this on the Domain Controller. As it is, you're only searching for User and Service Account Object Types.
You need to add "Built-in security principal" to your Object Types when doing this on the Domain Controller. As it is, you're only searching for User and Service Account Object Types.
edited 3 hours ago
answered 3 hours ago
joeqwertyjoeqwerty
96k463149
96k463149
"Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options.
– Dai
2 hours ago
add a comment |
"Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options.
– Dai
2 hours ago
"Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options.
– Dai
2 hours ago
"Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options.
– Dai
2 hours ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f952509%2fhow-do-i-specify-networkservice-or-localservice-for-a-windows-service-on-a-domai%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown