Services permissions

Each service has special permissions that you can grant or deny for each user or group. You can set permissions for individual services by using Security Templates. For more information about how to do this, see Security Templates

Services must log on to an account in order to access resources and objects on the operating system. Some services are configured by default to log on to the Local System account, which is a powerful account that has full access to the system. If a service logs on to the Local System account on a domain controller, that service has access to the entire domain. Other services are configured to log on to LocalService or NetworkService accounts, which are special built-in accounts that are similar to authenticated user accounts. These accounts have the same level of access to resources and objects as members of the Users groups. This limited access helps safeguard your system if individual services or processes are compromised.

Services running as the LocalService account access network resources as a null session with no credentials. Services running as the NetworkService account access network resources using the credentials of the machine account.

For more information about how to configure a service, see To configure how a service is started


Changing the account under which a service is run might prevent the service from running properly.

The following table lists the individual service permissions that you can apply.

PermissionAllows you to

Full Control

Perform all functions. This permission automatically grants all service permissions to the user.

Query Template

Determine the configuration parameters associated with a service object.

Change Template

Change the configuration of a service.

Query Status

Access information about the status of the service.

Enumerate Dependents

Determine all of the other services that are dependent on the specified service.


Start a service.


Stop a service.

Pause and Continue

Pause and continue the service.


Report the current status information for the service.

User-Defined Control

Send a user-defined control request, or a request that is specific to the service, to the service.


Delete a service.

Read Permissions

Read the security permissions assigned to the service.

Change Permissions

Change the security permissions assigned to the service.

Take Ownership

Change a security key or change permission on a service that is not owned by the user.

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies