I am facing a project in which I have to setup an AD-less standalone local service account with network capabilities on a not-AD-connected machine running Windows Server 2019 Standard.

The named server user must have network capabilities, and must not be used to login into the machine (local console, or RDP). It shall only be used to launch the application with this user, and set folder/file permissions for this user.

In an AD-connected environment, I simple would create a service user on the domain controller (only for this machine). But I am facing an AD-less (not domain-joined, and it have to stay this way) machine.

Some research pointed out, that I can use "standalone local service accounts" for this matter (introduced in Windows Server 2008 R2), but the documentation ends up in various error 404 (not found) web pages on docs.microsoft.com.

There is another (web) application, that utilizes IIS. As far as I know, IIS requires a (service) user account with a password (Connect As dialog).

How to create an AD-less standalone local service account with network capabilities (open a listening port, accessing Internet and Intranet) on a Windows Server 2019 standalone (not AD-connected) machine?