2 files changed, 9 insertions, 1 deletions

diff --git a/lib/chef/provider/service/windows.rb b/lib/chef/provider/service/windows.rb
index cba626145a..791731f5e7 100644
--- a/lib/chef/provider/service/windows.rb
+++ b/lib/chef/provider/service/windows.rb
@@ -93,7 +93,8 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
       Win32::Service.configure(new_config)
       logger.info "#{@new_resource} configured with #{new_config.inspect}"
 
-      if new_config.has_key?(:service_start_name)
+      # LocalSystem is the default runas user, which is a special service account that should ultimately have the rights of BUILTIN\Administrators, but we wouldn't see that from get_account_right
+      if new_config.has_key?(:service_start_name) && !new_config[:service_start_name].casecmp("localsystem")
         unless Chef::ReservedNames::Win32::Security.get_account_right(canonicalize_username(new_config[:service_start_name])).include?(SERVICE_RIGHT)
           grant_service_logon(new_config[:service_start_name])
         end
diff --git a/spec/unit/provider/service/windows_spec.rb b/spec/unit/provider/service/windows_spec.rb
index 7cfc645b32..85e3122a11 100644
--- a/spec/unit/provider/service/windows_spec.rb
+++ b/spec/unit/provider/service/windows_spec.rb
@@ -589,6 +589,13 @@ describe Chef::Provider::Service::Windows, "load_current_resource", :windows_onl
         expect(Chef::ReservedNames::Win32::Security).not_to receive(:add_account_right).with("wallace", service_right)
         provider.start_service
       end
+
+      it "skips the rights check for LocalSystem" do
+        new_resource.run_as_user("LocalSystem")
+        expect(Chef::ReservedNames::Win32::Security).not_to receive(:get_account_right)
+        expect(Chef::ReservedNames::Win32::Security).not_to receive(:add_account_right)
+        provider.start_service
+      end
     end
   end