Following are the User Rights Assignments settings GPO required to run SharePoint successfully if your Windows Server OS is in locked down mode.
Service Accounts:
SPServiceApps : Runs Service Applications
SPWebApps: Runs the Web Applications
SPFarm : Runs the SharePoint Timer and Administrative Service
SPConent: Default Content Access Account for the Search Service Application
Sqluser: Run the SQL server agent service and Database Engine service
GPO: Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment
| Policy | Setting |
|---|---|
| Act as part of the operating system | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
| Adjust memory quotas for a process | CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, BUILTIN\Administrators |
| Back up files and directories | BUILTIN\Administrators |
| Bypass traverse checking | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\sqluser, CONTOSO\SPFarm, NT AUTHORITY\Authenticated Users |
| Change the system time | NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
| Change the time zone | NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
| Change the time zone | NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
| Create a pagefile | BUILTIN\Administrators |
| Create global objects | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
| Create symbolic links | BUILTIN\Administrators |
| Debug programs | BUILTIN\Administrators |
| Force shutdown from a remote system | BUILTIN\Administrators |
| Generate security audits | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\SPFarm |
| Impersonate a client after authentication | T AUTHORITY\SERVICE, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPContent, BUILTIN\Administrators |
| Increase a process working set | BUILTIN\Administrators |
| Increase scheduling priority | BUILTIN\Administrators |
| Log on as a batch job | BUILTIN\Performance Log Users, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, CONTOSO\SPContent, BUILTIN\Administrators |
| Log on as a service | NT SERVICE\ALL SERVICES, CONTOSO\sqluser, CONTOSO\SPWebApps, CONTOSO\SPFarm, CONTOSO\SPServiceApps, CONTOSO\SPContent, BUILTIN\Administrators |
| Manage auditing and security log | BUILTIN\Administrators, CONTOSO\Domain Admins, CONTOSO\SPAdmin |
| Modify an object label | BUILTIN\Administrators |
| Modify firmware environment values | BUILTIN\Administrators |
| Perform volume maintenance tasks | BUILTIN\Administrators |
| Profile single process | BUILTIN\Administrators |
| Profile system performance | NT SERVICE\WdiServiceHost, BUILTIN\Administrators |
| Replace a process level token | CONTOSO\SPFarm, CONTOSO\SPServiceApps, CONTOSO\SPWebApps, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
| Restore files and directories | BUILTIN\Administrators |
| Take ownership of files or other objects | BUILTIN\Administrators |