Deny logon as a service (Windows)

Module: Account Integrity

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check reports accounts that are denied the right to log on to the system as a service. This right takes precedence over the Log on as a service right. The Deny right lets you remove access for subsets of groups that have the Log on right. You can use the name list to include or exclude users or security groups that are not already included or excluded by the Users to check option.

The following table lists the error message for the check.

Table: Error message for Deny logon as a service

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_DENY_LOGON_SERVICE

Category: Policy Compliance

  • Windows 2000 (105953)

  • Windows 2003 (205953)

  • Windows 2008 (248953)

  • Windows Vista (228948)

  • Windows XP (200948)

Title: Deny logon as a service

Description:The user or security group has been denied the right to log on as a service. If the user or group should be denied service logon, edit the check's name list. If the user or group should not be denied service logon, use the Correct feature to revoke the denial.

Severity: green-0

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]