Platform SDK: Active Directory, ADSI, and Directory Services

Granting Access Rights to the Service Logon Account

Part of installing a service instance is ensuring that the installed service will be able to access the necessary resources when it is running. To do this, you set ACEs in the security descriptors of objects that the service needs to access. An ACE can grant or deny access rights to a specified security principal, such as the service's user account (or the computer account for a LocalSystem service), or a group to which the service's account belongs. For more information about ACEs, security descriptors, and access control, see Controlling Access to Active Directory Objects and the Access Control chapter in the Platform SDK.

See Enabling Service Account to Access SCP Properties for a discussion and sample code of setting ACEs that allow the service to modify its service connection point (SCP).

You may also want to add your service's user account as a member of one or more security groups. For example, if you create an administrators group for your service, you might want to make the service itself a member of the group. Then you could simply grant access rights to the group rather than granting them explicitly to the service account. For more information about security groups, see Managing Groups.