- 6 minutes to read

Release Notes
Logon As A Service

On this page, you will learn about what the least privilege required is for any Nodinite Windows Service to run on the hosting Windows Server.

NOTE: Changes made on a Domain Controller may take some time to replicate with other domain controllers in your network. You may need to log out and then log in using the service account (a stop/start operation may also do the trick). First, make sure to issue the following command;
gpupdate /force
from an elevated command prompt on the Windows Server.

Nodinite has many Windows Services that you may install on one or more Windows Servers, potentially with one or more instances (Environments).

Core Services
- Logging Agents
- Monitoring Agents

The Nodinite services mentioned above require different access rights on hosting Windows Servers and SQL Server Databases.

Many Nodinite services use TCP Port 8000, and you must make sure this port is open for network traffic.

Stay secure with least privileges

We, the people behind Nodinite, have designed most of our Monitoring Agents to run with the minimum set of permissions (least privileges).

Each Windows Service can run with the same account, or you can use different accounts for each instance/service installed.
- Having separate accounts means additional administration and is inherently more secure.
- Having separate accounts means you can fine-tune as needed.
Some Monitoring Agents require the account to be part of the local administrators group. Make sure to review the prerequisites page for each agent to learn more about required access rights
Some Nodinite service accounts require interactive logon.
- Update Service (Install and update tool)
- Logging Service
Make sure to use dedicated service accounts and NOT accounts assigned to, and used by physical persons.
About the Password Never Expires policy:
- You must set the password to NEVER expire!
  - You should manage the set of service accounts used (and the passwords), part of your policy and planned maintenance windows.
  - With Nodinite 5.3 and later, the configuration files are protected by the current user name/password combination. The configuration files are partially encrypted based on service account. settings. This means that the files cannot be used anywhere else (very secure, but may cause you additional administration).

With Nodinite 5.3 and later, all configuration files are partially encrypted in a way that locks these files to the following combination:

The Service Account name
The password (!)

This means, if you change on any of these, the file is no longer "trusted" and cannot be used. In that case, you will need to re-enter all passwords, and other details like user secrets and so on.

Make sure to document the accounts and passwords in your safe and secured shared password manager.

___

What are the minimum user permissions required to install a Windows service?

You must be a Local Administrator to be able to install the Nodinite Windows Services

Only processes with Administrative privileges can open handles to the SCM (Service Control Manager) that can be used by the CreateService and LockServiceDatabase functions (see the following MSDN 'Service Security and Access Rights' article for details).

What are the minimum user permissions required to run a Windows service?

The minimum user permissions required to run a Windows service is the Log on as a service right which is a local policy set by an Local Administrator on the server level or domain level using group policies.

This security setting allows a security principal to Log on as a service. Windows Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in right to log on as a service. Any service that runs under a different user account must be assigned the Log on as a service right.

The default setting in Windows is None (!). This means that the account (even the Local Administrator) must be assigned this right

How to add a service account to a local policy

Open Administrative Tools in Control Panel
Open Local Security Policy
Add the account to use for the policy 'Log on as a service'. The account, if it's already in use, needs to logon/restart to get the new set of privileges.

Nodinite Service Accounts are used for:

Monitoring Service - Shared or specific Windows Service Account
- Read/Write access to Configuration Database and Log Databases
Logging Service - Shared or specific Windows Service Account
- Read/Write access to Configuration Database and some additional rights on Log Databases
Monitoring Agents - Shared or specific Windows Service Account and for some also review the Monitoring Agent Database
Logging Agents - Shared or specific Windows Service Account and sometimes with 'Read/Write' access to the Nodinite Configuration Database

The AppPool accounts are not required to be part of the Local Administrator group. If the accounts used are not Local Administrator, then add them to the IIS_IUSRS group instead and make sure the accounts have 'Read/Change/Write' permissions on all Web Application folders installed.

Local Administrator

In this article, you will find the step-by-step guidance on how to add an account to the Local Administrator group on a Windows Server. The steps outlined in this guide may need to be repeated on all Windows Servers hosting Nodinite Core Services and some of the Monitoring Agents that require elevated privileges.

Open the Server Manager
Click Tools in the right corner of Server Manager and then select Computer Management
Expand Local Users and Groups and select Groups. Double-click on the Administrators group
Add the AD service accounts that should be part of the highly privileged local Administrators group

Add Service Account on Domain Controller

You need to be a member of the Domain Admins group to add AD accounts to the local Administrators group locally on the Domain Controller

If you need to work on the Domain Controller, you cannot find the Local Users and Groups in the 'Computer Management'. In the case you want to add any account to the local Administrator group on the domain controller machine, open Active Directory Users and Computer or from an Administrative command prompt, you can execute the following command:

 net localgroup Administrators /add {domain}\{user}

Replace {domain}\{user} with the account to be added (without the brackets)

WARNING: Adding a service or user account to the local Administrators group grants the account permissions to make changes in your Active Directory environment, not just the local server

Add Service Account on Read Only Domain Controller (RODC)

If your Domain Controller is installed as a Read-Only Domain Controller, then you must follow the steps outlined Here in order to add the service account(s) local admin rights.

Next Step

Troubleshooting
Install Nodinite

Web Client
Release Notes
Configuration Database
Log Databases

Explore Nodinite for 30 days – completely free

See how Nodinite resolves your technical issues, in a

LIVE Demo!

Release Notes Logon As A Service