This question is a not duplicate of these existing questions:
- AUTHORITY\NetworkService does not exist (question is for Windows Server 2003
- How can I run a process as "NT Authority\NetworkService"? (this is a scripting question)
- https://stackoverflow.com/questions/34966029/adding-permissions-for-nt-authority-networkservice (this is about adding an
NT AUTHORITY
principal to an ACL, not selecting a principal in the Find User GUI)
I have a Windows Service configured on different computers:
- A workstation (non-domain) computer (running Windows 10)
- A workstation (non-domain) Windows Server (running Windows Server 2016)
- A domain workstation (running Windows 10)
- A domain member server (running Windows Server 2016)
- A domain controller (running Windows Server 2016)
Domain-joined computers and member servers:
In all computers except the domain controller, the services.msc
> Service Properties > Log On property sheet's "Select User" pop-up lets me select the NT AUTHORITY
built-in principals NETWORK SERVICE
and LOCAL SERVICE
(aka NT AUTHORITY\NetworkService
and NT AUTHORITY\LocalService
).
If I ignore the Search Users window and just type "network service
" into the Select User window and click "Check Names" then it's correctly resolved to NETWORK SERVICE
:
Domain Controllers:
However, on this Windows Server 2016 domain controller, the Select User popup does not let me specify any local computer name (which makes sense: the local computer's security system becomes the domain security system).
...which means it's not possible to resolve, search for or select NETWORK SERVICE
or LOCAL SERVICE
:
When I type it in directly into the Log On tab then I get this error:
The account name is invalid or does not exist, or the password is invalid for the account name specified.
I note that on a domain controller, the "Select User or Service Account" window only lets me select either "Service Accounts" or "Users" and not "Built-in security principals".
Domain-joined workstation or member-server:
Domain controller (Windows Server 2012 R2, but it's the same on 2016):
I know I can set the Service Logon Account by using sc config
or editing the registry manually (or by typing "Local Service
" or "Network Service
" into the "This account:" textbox) but what about other situations where I'd be using the "Select User or Service Account" dialog box outside of Services.msc on a domain controller?