The service I'm implementing will run on a domain controller, so I'd like it to have minimal privileges. Ideally, it would simply run as Local Service. However, it needs to be able to:
- monitor performance counters (be a member of Performance Monitor Users)
- manage performance counters, logs and alerts (be a member of Performance Log Users)
- read event logs (be a member of Event Log Readers)
Adding Local Service to these groups is obviously not an good approach. Running the service as the Virtual Service Account generated for it will allow it to access the network with the computer's identity which is also undesirable. So I'd like to run it as Local Service with non-zero SID type, thereby passing onto it privileges given to the VSA.
I'm having trouble adding the service's VSA to the groups stated above. I suspect it is because the VSA is local (and exists only within the domain controller), while the groups are domain groups. Is it possible?
Group Managed Service Accounts may prove to be useful (replacing the VSA), be they need to be created manually.
What's the correct approach to set up a service to run with only the specified permissions, while the deployment has no prerequisites (no GMSA creation)?
Answers specific to specified groups are also welcome.
On a domain controller, you don't have a "local accounts" database, and you don't have local server groups.
Local groups are called "Domain Local" and can be used anywhere within the domain (in keeping with domain rules on how groups can be nested). AD is the DC's "local account database".
The best solution here is to NOT run it on the DC itself. The SYSTEM context on a DC has full access to everything in AD. That's a possible security breech waiting to happen.