Correcting MID Server Windows service account user and permissions Table of Contents Add start/stop permissions to the Service UserLog on user is local system or part of Administrators Add start/stop permissions to the Service User If the current log on user for MID Server is identified with missing start/stop permissions, please follow the below steps to add permissions. Create a new file named GrantStartStopPerm.ps1 with the following code in it: Function GrantStartStopPerm { Param( [string]$username, [string]$servicename ) $user = New-Object System.Security.Principal.NTAccount($username) $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value Write-Output "Sid : $sid" $sd = sc.exe sdshow $servicename Write-Output "SD value : $sd" if( !($sd -like "*$sid*") ){ $permsToAdd = [string]::Format(")(A;;LCRPWP;;;{0})S:(", $sid); if($sd -match [regex]::Escape(")S:(")){ $sd = $sd -replace [regex]::Escape(")S:("),"$permsToAdd" $result = sc.exe sdset $servicename $sd Write-Output "SD changed : $sd"; Write-Output "Result : $result"; } }else{ Write-Output "Sid is already part of SD" } } Start the PowerShell console, run as AdministratorLoad the file by using the dot-source function from the GrantStartStopPerm.ps1 file. For example: C:\Users\mid_account\Desktop> . .\GrantStartStopPerm.ps1 Run the PowerShell sourced function "GrantStartStopPerm", with a non-admin account and the service name as the inputs. For example: GrantStartStopPerm mid_account snc_mid_test Output line expection in success : Result : [SC] SetServiceObjectSecurity SUCCESS Log on user is local system or part of Administrators If the current log on user for the MID Server is identified as 'LocalSystem', or a user that is part of the Administrators group, it is required to change the log on user, as stated in the ServiceNow documentation. Please follow the below steps to make the changes. Create the new Windows User. This can be a user local to the host, or a domain user.The user cannot be a local system or an administrator level account (local admin, domain admin, etc.)The service account provided has the log on as service right, which is required for an account to be used as the log on user for a service.See Create a Windows service account with "Log on as Service" [KB0867669] Add start/stop permissions to the user. (Follow the steps above)Add the account name to the MID Server parameter mid.windows_host.file_permissions.allow_list in the MID Server host's config.xml file. This step adds the non-admin account to the allow list. See MID Server parameters for more information about mid.windows_host.file_permissions.allow_list as well as instructions for adding a parameter to the config.xml file.Note: Use the format ".\<username>" for a local user. Domain accounts should be specified by using the SID. Do not use the "<domain>\<username>" or user@domain format.Note: SID can be retrieved from the following running the following command in the cmd promptwmic useraccount where name='<username>' get name,sid. Temporarily set the MID Server service to run as System, or a user with Administrator rightsNote: The new file permission enforcement rules take effect when the MID Server starts, which requires it to be running as admin/system to make those changes.Restart the MID ServerSet the MID Server service to the new non-admin user accountRestart the MID Server