Categories
Windows 2003

Assign log on as a service user rights to a local system account via GPO using WMI Filters

On a couple of customer sites I had the issue that the local security policy entry Log on As A Service was controlled via GPO and our applications did not start properly because the local user account did not have the required access rights.
Attached you will find a manual I wrote to show you how to modify those entries and how to setup an WMI Filter to only apply the new GPO to the required servers to save you creating several OUs.

Download PDF

Enjoy reading.

How to assign logon as a service user rights to a local system account via GPO

Some applications require special users to start the required services. For example HiPath ProCenter is creating during the installation two user accounts hppc and Informix to start the database and the HiPath ProCenter service or OpenScape Xpressions requires a local administrator to run the telematic and Realspeak engine if text to speech is used. (services.msc)

Some domain administrators apply a GPO onto all the servers and or workstations to grant the logon as a service right to special user accounts for example for backup solutions. If such a GPO is applied the services using user accounts that are not part of this list will not start and produce an error message in the event log.

To identify what users have the logon as a service access right please open the Local Security Policy.



In this example no GPO is assigned to control this access right.

In this example a GPO is assigned to control this access right.

You can clearly see the difference her. If the settings are controlled via GPO they cannot be adjusted.

How to create a GPO to allow changing this parameter.
Log onto the server on which the local system accounts are located with any Domain Admin Active Directory account and download / install the Group Policy Management console:
http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
After successful installation please start it up:


Expand the tree and right click WMI Filters and press New

Give the filter a nice name and description and press Add

Hold on to the default Namespace and enter the Query command.

SELECT * FROM Win32_ComputerSystem where Name=’hostname’
Press OK and Save.

Now browse to the OU containing your servers and right click the OU to create and link a new GPO

Give the GPO a proper name and OK it.

After the GPO is created right click and edit it


Double click Log on as a service

Check the box before define these policy settings and press Add User or Group

Press Browse to select your users.

Press on location to change the location from your domain to the local PC

Ensure your location is changed to the local PC enter the username that you wish to grant the access right and press Check Names and hit OK to save the settings. Perform these steps for ALL user accounts you wish to grand the logon as a service access right including the one that are maybe already assigned!

After all the users are added press Apply and OK to save the changes and close the group policy editor.

Now apply to the newly created GPO the WMI filter we created earlier and press yes at the information message.

To apply the changes please run the command
Gpupdate /force

The server will probably require a restart or at least a logoff in order to apply the changes.

On the next start-up the PC is applying the new settings and you can check the applied changes using the Local Security Settings MMC

This setting is no controlled via GPO and the accounts we configured including our local administrator are part of the users.

16 replies on “Assign log on as a service user rights to a local system account via GPO using WMI Filters”

Thank you very much. I apply this solution for dlp vontu service. vontu notifier service was always down, and it was not start again because of logon failure. NOW everything is ok.

God bless you 🙂

Excellent! Thank you. I was able to create the new policy and WMI filter on Windows Server 2012 R2 to fix an Office 365 Directory Synchronization failure I was having.

The problem with this method is that it OVERWRITES any other local security policy setting, rather than add to the list. This can stop things working or prevent new things from ever working.

I would like to start off with excellent instructions! Super Useful.

I have found a slightly different solution that allowed me to assign a local user account to an existing GPO instead of creating a new one and assigning a WMI query.

If you install the GPMC Tool on the Server, you can just edit the existing GPO that you want, and when selecting users. change the location from your domain to the Local PC. This allows the GPO to properly find the local account on the Server and apply the GPO.

What’s up,I log on to your new stuff named “Assign log on as a service user rights to a local system account via GPO using WMI Filters | Go-Unified” on a regular basis.Your humoristic style is witty, keep doing what you’re doing! And you can look our website about proxy server list.

While installing WSUS on Windows Server 2016 Essentials, I received a message that I could not start the Windows Internet Database service because I need to define user MSSQUL$MICROSOFT##WID to log in as a service. While searching Google for a solution, I found your article.
In the PDF on page 7, it says in to find my server. I’m using GPMC but cannot find my server listed anywhere. How do I continue?

I have noticed you don’t monetize go-unified.com, don’t waste your traffic, you can earn additional cash every month with new monetization method.
This is the best adsense alternative for any type of website (they
approve all websites), for more info simply search in gooogle:
murgrabia’s tools

Leave a Reply

Your email address will not be published. Required fields are marked *