Logon As A Service
Empower your Nodinite environment with secure, least-privilege service account management. This guide explains how to configure 'Logon as a Service' rights for Nodinite Windows Services, ensuring compliance, security, and smooth operations across your infrastructure.
✅ Step-by-step instructions for setting 'Logon as a Service' rights
✅ Ensures least-privilege, secure deployments
✅ Supports multi-server and multi-environment scenarios
✅ Best practices for password, policy, and account management
Info
On this page, you will learn the minimum privilege required for any Nodinite Windows Service to run on the hosting Windows Server.
Important
Changes made on a Domain Controller may take some time to replicate with other domain controllers in your network. You may need to log out and then log in using the service account (a stop/start operation may also do the trick).
First, issue the following command from an elevated command prompt on the Windows Server to update group policies:
gpupdate /force
Nodinite provides many Windows Services that you can install on one or more Windows Servers, potentially with multiple Environments.
The Nodinite services above require different access rights on hosting Windows Servers and SQL Server Databases.
Note
Many Nodinite services use TCP Port 8000. Ensure this port is open for network traffic.
Stay secure with least privileges
We designed Nodinite Monitoring Agents and services to run with minimum permissions (least privilege):
- Each Windows Service can run with the same account, or you can use different accounts for each instance/service installed.
- Separate accounts increase security and allow fine-tuned access.
- Some Monitoring Agents require the account to be part of the local administrators group. Review the prerequisites page for each agent.
- Some Nodinite service accounts require interactive logon (e.g., Update Service, Logging Service).
- Always use dedicated service accounts—never assign accounts used by physical persons.
- Set service account passwords to NEVER expire. Manage these accounts and passwords as part of your policy and maintenance.
- With Nodinite 5.3+, configuration files are partially encrypted and locked to the service account and password. Changing either requires re-entering all secrets.
Important
With Nodinite 5.3 and later, all configuration files are partially encrypted in a way that locks these files to the following combination:
This means, if you change on any of these, the file is no longer "trusted" and cannot be used. In that case, you will need to re-enter all passwords, and other details like user secrets and so on.
- The Service Account name
- The password (!)
Tip
Keep account names and passwords up to date in a secure, shared password manager.
What are the minimum user permissions required to install a Windows service?
You must be a Local Administrator to install Nodinite Windows Services.
Only processes with Administrative privileges can open handles to the SCM (Service Control Manager) that can be used by the CreateService and LockServiceDatabase functions (see the following MSDN 'Service Security and Access Rights' article for details).
What are the minimum user permissions required to run a Windows service?
The minimum user permission required to run a Windows service is the Log on as a service right, a local policy set by a Local Administrator on the server or via group policy.
This security setting allows a security principal to Log on as a service. Windows Services can run under built-in accounts (Local System, Local Service, Network Service), which have this right by default. Any service running under a different user account must be assigned the Log on as a service right.
Important
The default setting in Windows is None (!). This means that the account (even the Local Administrator) must be assigned this right.
How to add a service account to a local policy
- Open Administrative Tools in the Control Panel.
- Open Local Security Policy.
- Add the account to the policy 'Log on as a service'. If the account is already in use, log on/restart to get the new privileges.
Nodinite Service Accounts are used for:
- Monitoring Service—Shared or specific Windows Service Account
- Read/Write access to Configuration Database and Log Databases
- Logging Service—Shared or specific Windows Service Account
- Read/Write access to Configuration Database and additional rights on Log Databases
- Monitoring Agents—Shared or specific Windows Service Account; for some, also review the Monitoring Agent Database
- Logging Agents—Shared or specific Windows Service Account; sometimes with 'Read/Write' access to the Nodinite Configuration Database
Tip
The AppPool accounts are not required to be part of the Local Administrator group. If the accounts used are not Local Administrator, add them to the IIS_IUSRS group and ensure they have 'Read/Change/Write' permissions on all Web Application folders installed.
Local Administrator
Follow these steps to add an account to the Local Administrator group on a Windows Server. Repeat on all servers hosting Nodinite Core Services and Monitoring Agents that require elevated privileges.
- Open the Server Manager
- Click Tools in the right corner of Server Manager and select Computer Management
- Expand Local Users and Groups and select Groups. Double-click on the Administrators group
- Add the AD service accounts that should be part of the highly privileged local Administrator's group
Add Service Account on Domain Controller
Note
You need to be a member of the Domain Admins group to add AD accounts to the local Administrators group locally on the Domain Controller
If you need to work on the Domain Controller, you cannot find the Local Users and Groups in 'Computer Management'. To add any account to the local Administrator group on the domain controller, open Active Directory Users and Computer or use an Administrative command prompt:
net localgroup Administrators /add {domain}\{user}
Replace {domain}\{user} with the account to be added (without the brackets).
Warning
Adding a service or user account to the local Administrators group grants the account permissions to make changes in your Active Directory environment, not just the local server
Add Service Account on Read Only Domain Controller (RODC)
If your Domain Controller is installed as a Read-Only Domain Controller, follow the steps outlined here to add the service account(s) local admin rights.
Next Step
Troubleshooting
Install Nodinite
Related Topics
Web Client
Release Notes
Configuration Database
Log Databases