SharePoint 2016 : User Rights Assignment GPO

Following are the User Rights Assignments settings GPO required to run SharePoint successfully if your Windows Server OS is in locked down mode.

Service Accounts:
SPServiceApps : Runs Service Applications
SPWebApps:      Runs the Web Applications
SPFarm :            Runs the SharePoint Timer and Administrative Service
SPConent:          Default Content Access Account for the Search Service Application
Sqluser:              Run the SQL server agent service and Database Engine service

GPO: Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment

Policy Setting
Act as part of the operating system NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Adjust memory quotas for a processCONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, BUILTIN\Administrators
Back up files and directoriesBUILTIN\Administrators
Bypass traverse checkingNT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\sqluser, CONTOSO\SPFarm, NT AUTHORITY\Authenticated Users
Change the system time NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zoneNT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zoneNT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Create global objects NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create symbolic linksBUILTIN\Administrators
Debug programsBUILTIN\Administrators
Force shutdown from a remote systemBUILTIN\Administrators
Generate security auditsNT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\SPFarm
Impersonate a client after authenticationT AUTHORITY\SERVICE, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPContent, BUILTIN\Administrators
Increase a process working setBUILTIN\Administrators
Increase scheduling priorityBUILTIN\Administrators
Log on as a batch jobBUILTIN\Performance Log Users, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, CONTOSO\SPContent, BUILTIN\Administrators
Log on as a serviceNT SERVICE\ALL SERVICES, CONTOSO\sqluser, CONTOSO\SPWebApps, CONTOSO\SPFarm, CONTOSO\SPServiceApps,
CONTOSO\SPContent, BUILTIN\Administrators
Manage auditing and security logBUILTIN\Administrators, CONTOSO\Domain Admins, CONTOSO\SPAdmin
Modify an object labelBUILTIN\Administrators
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performanceNT SERVICE\WdiServiceHost, BUILTIN\Administrators
Replace a process level tokenCONTOSO\SPFarm, CONTOSO\SPServiceApps, CONTOSO\SPWebApps, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Restore files and directoriesBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators