How to Add NETWORK SERVICE Account to Local Users Group in Windows Server


2 views

When migrating applications between Windows servers, you might encounter permission requirements involving the special NETWORK SERVICE account. This system account runs network-related services with limited privileges, and sometimes needs explicit group membership for proper application functioning.

The confusion arises because NETWORK SERVICE isn't visible through normal GUI tools. These approaches won't work:

  • Searching for "NETWORK SERVICE" in Computer Management GUI
  • Trying "netname\\NETWORK SERVICE" or "BY AUTHORITY\\NETWORK SERVICE" formats

The proper way involves using the built-in SID (Security Identifier) for this account:

net localgroup Users "NT AUTHORITY\NETWORK SERVICE" /add

Alternatively, you can use PowerShell with admin privileges:

Add-LocalGroupMember -Group "Users" -Member "NT AUTHORITY\NETWORK SERVICE"

Confirm the membership with either:

net localgroup Users

Or in PowerShell:

Get-LocalGroupMember -Group "Users" | Where-Object {$_.Name -like "*NETWORK SERVICE*"}

For environments where command line isn't preferred:

  1. Open secpol.msc
  2. Navigate to Security Settings > Local Policies > User Rights Assignment
  3. Find "Access this computer from the network" policy
  4. Add "NETWORK SERVICE" account

If you encounter "System error 1379" (account doesn't exist), ensure you're using the exact syntax:

Correct: NT AUTHORITY\NETWORK SERVICE
Incorrect: NETWORK SERVICE (without the authority prefix)

Many applications assume NETWORK SERVICE has Users group membership by default, but this isn't always true in newer Windows versions. The account needs proper permissions to:

  • Access network resources
  • Read application configurations
  • Write to temporary directories

When migrating applications between Windows servers, you'll often encounter permission requirements involving the NETWORK SERVICE account. This built-in identity runs network services with limited privileges, but some legacy applications specifically require it to be in the Users group.

The standard Computer Management GUI won't show NETWORK SERVICE in the user selection dialog because:

  • It's not a standard user account
  • It belongs to the NT AUTHORITY security principal
  • The GUI filters out service accounts by default

The most reliable method uses the net localgroup command:

net localgroup "Users" "NT AUTHORITY\NETWORK SERVICE" /add

Verify the addition with:

net localgroup "Users"

For modern servers, PowerShell provides more flexibility:

Add-LocalGroupMember -Group "Users" -Member "NT AUTHORITY\NETWORK SERVICE"
Get-LocalGroupMember -Group "Users" | Where-Object {$_.Name -like "*NETWORK SERVICE*"}

If you receive "System error 1379" (account doesn't exist), try:

  1. Using the full SID format: S-1-5-20
  2. Verifying UAC isn't blocking the operation
  3. Running the command as Administrator

Before adding service accounts to user groups:

  • Audit which services run as NETWORK SERVICE
  • Consider creating a dedicated service account instead
  • Document the change in your security policy

For SQL Server integration, you might need additional steps:

-- T-SQL example for SQL Server permissions
USE [master]
GO
CREATE LOGIN [NT AUTHORITY\NETWORK SERVICE] FROM WINDOWS
GO