- 6 minutes to read

Logon As A Service

Info

On this page, you will learn the minimum privilege required for any Nodinite Windows Service to run on the hosting Windows Server.

Important

Changes made on a Domain Controller may take some time to replicate with other domain controllers in your network. You may need to log out and then log in using the service account (a stop/start operation may also do the trick).

First, make sure to issue the following command from an elevated command prompt on the Windows Server:

gpupdate /force

Nodinite has many Windows Services that you may install on one or more Windows Servers, potentially with one or more instances (Environments).

The Nodinite services mentioned above require different access rights on hosting Windows Servers and SQL Server Databases.

Note

Many Nodinite services use TCP Port 8000, and you must make sure this port is open for network traffic.

Stay secure with least privileges

We, the people behind Nodinite, have designed most of our Monitoring Agents to run with minimum permissions (least privileges).

  • Each Windows Service can run with the same account, or you can use different accounts for each instance/service installed.

    • Having separate accounts means additional administration and is inherently more secure.
    • Having separate accounts means you can fine-tune as needed.
  • Some Monitoring Agents require the account to be part of the local administrators group. Make sure to review the prerequisites page for each agent to learn more about required access rights

  • Some Nodinite service accounts require interactive logon.

    • Update Service (Install and update tool)
    • Logging Service
  • Make sure to use dedicated service accounts and NOT accounts assigned to, and used by physical persons.

  • About the Password Never Expires policy:

    • You must set the password to NEVER expire!
      • You should manage the set of service accounts used (and the passwords), part of your policy and planned maintenance windows.
      • With Nodinite 5.3 and later, the configuration files are protected by the current user name/password combination. The configuration files are partially encrypted based on the service account. settings. This means that the files cannot be used anywhere else (very secure, but may cause you additional administration).

Important

With Nodinite 5.3 and later, all configuration files are partially encrypted in a way that locks these files to the following combination:

  • The Service Account name
  • The password (!)

This means, if you change on any of these, the file is no longer "trusted" and cannot be used. In that case, you will need to re-enter all passwords, and other details like user secrets and so on.

Tip

Ensure account names and passwords are up to date in your safe and secure shared password manager.


What are the minimum user permissions required to install a Windows service?

You must be a Local Administrator to be able to install the Nodinite Windows Services

Only processes with Administrative privileges can open handles to the SCM (Service Control Manager) that can be used by the CreateService and LockServiceDatabase functions (see the following MSDN 'Service Security and Access Rights' article for details).

What are the minimum user permissions required to run a Windows service?

The minimum user permissions required to run a Windows service is the Log on as a service right which is a local policy set by a Local Administrator on the server level or domain level using group policies.

This security setting allows a security principal to Log on as a service. Windows Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in right to log on as a service. Any service that runs under a different user account must be assigned the Log on as a service right.

Important

The default setting in Windows is None (!). This means that the account (even the Local Administrator) must be assigned this right

How to add a service account to a local policy

  1. Open Administrative Tools in the Control Panel.
    Administrative Tools

  2. Open Local Security Policy.
    LocalSecurity Policy

  3. Add the account to use for the policy 'Log on as a service'. The account, if it's already in use, needs to log on/restart to get the new set of privileges.
    Add User

Nodinite Service Accounts are used for:

Tip

The AppPool accounts are not required to be part of the Local Administrator group. If the accounts used are not Local Administrator, then add them to the IIS_IUSRS group instead and make sure the accounts have 'Read/Change/Write' permissions on all Web Application folders installed.

Local Administrator

In this article, you will find step-by-step guidance on how to add an account to the Local Administrator group on a Windows Server. The steps outlined in this guide may need to be repeated on all Windows Servers hosting Nodinite Core Services and some of the Monitoring Agents that require elevated privileges.

  1. Open the Server Manager
  2. Click Tools in the right corner of Server Manager and then select Computer Management
    Computer Management
  3. Expand Local Users and Groups and select Groups. Double-click on the Administrators group
    Local Users and Groups
  4. Add the AD service accounts that should be part of the highly privileged local Administrator's group
    Administrators Properties

Add Service Account on Domain Controller

Note

You need to be a member of the Domain Admins group to add AD accounts to the local Administrators group locally on the Domain Controller

If you need to work on the Domain Controller, you cannot find the Local Users and Groups in the 'Computer Management'. In the case you want to add any account to the local Administrator group on the domain controller machine, open Active Directory Users and Computer or from an Administrative command prompt, you can execute the following command:

 net localgroup Administrators /add {domain}\{user} 

Replace {domain}\{user} with the account to be added (without the brackets).

Warning

Adding a service or user account to the local Administrators group grants the account permissions to make changes in your Active Directory environment, not just the local server

Add Service Account on Read Only Domain Controller (RODC)

If your Domain Controller is installed as a Read-Only Domain Controller, then you must follow the steps outlined Here in order to add the service account(s) local admin rights.


Next Step

Troubleshooting
Install Nodinite

Web Client
Release Notes
Configuration Database
Log Databases