9

This question is a not duplicate of these existing questions:

I have a Windows Service configured on different computers:

  • A workstation (non-domain) computer (running Windows 10)
  • A workstation (non-domain) Windows Server (running Windows Server 2016)
  • A domain workstation (running Windows 10)
  • A domain member server (running Windows Server 2016)
  • A domain controller (running Windows Server 2016)

Domain-joined computers and member servers:

In all computers except the domain controller, the services.msc > Service Properties > Log On property sheet's "Select User" pop-up lets me select the NT AUTHORITY built-in principals NETWORK SERVICE and LOCAL SERVICE (aka NT AUTHORITY\NetworkService and NT AUTHORITY\LocalService).

enter image description here

enter image description here

If I ignore the Search Users window and just type "network service" into the Select User window and click "Check Names" then it's correctly resolved to NETWORK SERVICE:

enter image description here

Domain Controllers:

However, on this Windows Server 2016 domain controller, the Select User popup does not let me specify any local computer name (which makes sense: the local computer's security system becomes the domain security system).

...which means it's not possible to resolve, search for or select NETWORK SERVICE or LOCAL SERVICE:

enter image description here

enter image description here

When I type it in directly into the Log On tab then I get this error:

enter image description here

The account name is invalid or does not exist, or the password is invalid for the account name specified.

I note that on a domain controller, the "Select User or Service Account" window only lets me select either "Service Accounts" or "Users" and not "Built-in security principals".

Domain-joined workstation or member-server:

enter image description here

Domain controller (Windows Server 2012 R2, but it's the same on 2016):

enter image description here


I know I can set the Service Logon Account by using sc config or editing the registry manually (or by typing "Local Service" or "Network Service" into the "This account:" textbox) but what about other situations where I'd be using the "Select User or Service Account" dialog box outside of Services.msc on a domain controller?

Dai
  • 2,251
  • 8
  • 27
  • 42

3 Answers3

7

Based on your final screenshot, you left out the space in the account name. Try Local Service instead.

If that doesn't work, you can do it on the command line as shown here, I would write this as:

sc config ServiceName obj= "NT AUTHORITY\Local Service" password= ""

Note that in the command line version either LocalService or Local Service is acceptable, but in the GUI only the latter works. I'm not sure why, but that's the way it is.

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
  • 3
    In the command-line `sc config` I had to use `obj= "NT AUTHORITY\Local Service"`. Other variations, such as `obj= "LocalService"` or `obj= "Local Service"` don't work. Don't forget the space between the `=` and `"`! – Dai Feb 06 '19 at 07:41
  • Had same problem with `Network Service` adding the `NT AUTHORITY\` solved it. – Eelke Jan 29 '21 at 07:05
2

You need to add "Built-in security principal" to your Object Types when doing this on the Domain Controller. As it is, you're only searching for User and Service Account Object Types.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • "Built-in security principal" is not listed. Only "Computers" and "Users and Service Accounts" are listed as options. – Dai Feb 06 '19 at 05:36
1

You can also just go to the Log On as tab and specify NT AUTHORITY\LocalService into the text input box as the username and clear out both password fields, then click OK.

Dan Minoh
  • 11
  • 1