How to Create Local Windows Desktop Service Accounts?

Applies to:

Windows 7, 8/8.1, Windows 10 -- Home and Professional.

Programs, (like BTSync), which install services -- but don't follow Windows service conventions as other programs do, (IIS, MySQL, SQL Server, etc).

Issues:

  1. Software Defect: Some installations, (like BitTorrent Sync), will not install the Windows Service -- unless a regular user account is specified.  
  2. Expected Behavior: Should automatically provide the correct NT Service account identity, or at least allow the user too.
  3. Security Issue: The user is forced to create another regular user account, [which as a best practice, should never be done].  
  4. Workaround: After the Appropriate Service Account is specified, this temporary user account should be deleted.

References

  1. Windows does not use "Service Accounts" -- in the Linux sense, but rather "Virtual Accounts" and "Managed Service Accounts, (for machines participating in an LDAP environment.

  2. Service Account Naming Convention: By Naming Convention, it appears that the virtual accounts should follow the form, "Command Name" - [Extension] + "svc"
    Note from comments: NT Service\ should be Service name from Properties > General tab - it doesn't have to contain "svc" or command name. (Though, I have not tested this with the PowerShell script.)

    "btsync.exe" becomes "NT Service\btsyncsvc"

Creating the Virtual "NT Service" Account:

  1. Open up the Local Services snap-in, "services.msc"

  2. Navigate to the desired service, (btsync), right-click "Properties".

  3. Select the "Log On" tab.

  4. Select the option to specify a user.

  5. Enter the "Conventional" service name, described above: (without quotes).

    NT Service\btsyncsvc

  6. REMOVE the passwords.

  7. Save - Apply

  8. Restart the Service.

Setting Folder Permissions:

Set folder permissions -- using the full account name: "NT Service\btsyncsvc", (using quotes may or may not be required depending on the context ...) ...

It is not necessary for the btsyncsvc to have execute permissions, so remove if you like -- otherwise, full control.

Error - Service Fails to Start due to "No Mapping Between Account Names and Security IDs":

For example, this error will occur if you specify, "NT Service\btsync" rather than "NT Service\btsyncsvc" ...

The following command will return the list of current service account names.

Using PowerShell, (PS), Verify the list against the one you have specified to use for "Log On":

PS > get-service | foreach {Write-Host NT Service\$($_.Name)}

Error - Service Fails to Start because the Account has not been Granted Log On as a Service Permissions:

This error can occur if you have specified the incorrect "Conventional Name", or if the permissions really are missing -- though will be automatically assigned if the correct convention is used.

In Windows 10 Home, the User will not be able to use the local security policy snap-in to configure this, (secpol.msc) -- and must be done manually, through PowerShell, or other utility.

PowerShell Scripts:

To fix this, it is possible to use PowerShell. "Grant-Log-on-as-a-service PowerShell Script, from Technet Gallery":

If PowerShell reports an "ExecutionPolicy Error", it may be necessary to change the ExecutionPolicy:

PS > Set-ExecutionPolicy RemoteSigned

... May Result in a signing error -- And then changed to:

PS > Set-ExecutionPolicy Unrestricted

And then use the Script to assign the permission:

PS > .".\Add Account To LogonAsService.ps1" "NT Service\btsyncsvc"

Reset the ExecutionPolicy if desired:

PS > Set-ExecutionPolicy Restricted

Hope this Helps!