WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Deny logon as a service

Deny logon as a service

AKA: SeDenyServiceLogonRight, Deny logon as a service

Default assignment: None

This is the opposite of Log on as a service and any user with both rights will be denied service logons. See discussion of logon rights.

This right would be useful for explicitly denying users the ability to run services under their personal account. Running services under an admin/operator’s personal account is bad practice since the service will fail if and when the person leaves the organization and their account is disabled or deleted or if the account is locked out due to repeated password failures. In addition, the user must remember to edit all services when he changes his password. 

Back to top


Additional Resources