Following are the User Rights Assignments settings GPO required to run SharePoint successfully if your Windows Server OS is in locked down mode.
Service Accounts:
SPServiceApps : Runs Service Applications
SPWebApps: Runs the Web Applications
SPFarm : Runs the SharePoint Timer and Administrative Service
SPConent: Default Content Access Account for the Search Service Application
Sqluser: Run the SQL server agent service and Database Engine service
GPO: Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment
Policy | Setting |
---|---|
Act as part of the operating system | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Adjust memory quotas for a process | CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, BUILTIN\Administrators |
Back up files and directories | BUILTIN\Administrators |
Bypass traverse checking | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\sqluser, CONTOSO\SPFarm, NT AUTHORITY\Authenticated Users |
Change the system time | NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Change the time zone | NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Change the time zone | NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Create a pagefile | BUILTIN\Administrators |
Create global objects | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Create symbolic links | BUILTIN\Administrators |
Debug programs | BUILTIN\Administrators |
Force shutdown from a remote system | BUILTIN\Administrators |
Generate security audits | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, CONTOSO\SPFarm |
Impersonate a client after authentication | T AUTHORITY\SERVICE, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPContent, BUILTIN\Administrators |
Increase a process working set | BUILTIN\Administrators |
Increase scheduling priority | BUILTIN\Administrators |
Log on as a batch job | BUILTIN\Performance Log Users, CONTOSO\SPWebApps, CONTOSO\SPServiceApps, CONTOSO\SPFarm, CONTOSO\SPContent, BUILTIN\Administrators |
Log on as a service | NT SERVICE\ALL SERVICES, CONTOSO\sqluser, CONTOSO\SPWebApps, CONTOSO\SPFarm, CONTOSO\SPServiceApps, CONTOSO\SPContent, BUILTIN\Administrators |
Manage auditing and security log | BUILTIN\Administrators, CONTOSO\Domain Admins, CONTOSO\SPAdmin |
Modify an object label | BUILTIN\Administrators |
Modify firmware environment values | BUILTIN\Administrators |
Perform volume maintenance tasks | BUILTIN\Administrators |
Profile single process | BUILTIN\Administrators |
Profile system performance | NT SERVICE\WdiServiceHost, BUILTIN\Administrators |
Replace a process level token | CONTOSO\SPFarm, CONTOSO\SPServiceApps, CONTOSO\SPWebApps, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Restore files and directories | BUILTIN\Administrators |
Take ownership of files or other objects | BUILTIN\Administrators |