This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. The recommended state for this setting is to include: 'Guests'. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
Solution
To establish the recommended configuration via GP, set the following UI path to include 'Guests': Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service