Run icinga Windows service with dedicated user account

Does anyone have figured out already how to run icinga Windows service with less access rights?

By default it is configured as Network Service. Changing it to a new simply user and allowing this user to run as a service is obviously not enough since the service cannot be started anymore. With adding the new user to the administrators group icinga service could be started. But I’d like to have a readonly user with some additional grants only. I’ve been trying to find missing access rights using ProcMon without success.

Ok, I’ve found the reason: C:\ProgramData\icinga2\etc has security inheritance disabled (I’d assume this is done by the installer). Hence, the new user needs to be granted for C:\ProgramData\icinga2\etc\ as well as C:\ProgramData\icinga2\.

We faced a similar problem with the new installed PowerShell-Plugin and -Framework. e.g. the check for EventLog could cache the last check. And the check triggerd by icinga run into a problem, because there were no write permissions to write into the own directory.
With the own user it worked fine.