Once the CA Spectrum OneClíck-server install (standalone OC-server - or in bundle with CA Spetrum SpectroSERVER install) is done, this will install and appyl the CA Spectrum Apache ModSecurity files and services too.
The installation - once completed - is owned by CA Spectrum install owner account at local host OS-level. When install is completed, enable the CA Spectrum Apache ModSecurity setup (see here: https://docops.ca.com/ca-spectrum/10-2-2/en/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/enable-modsecurity-web-application-firewall).
Now - make use of the Windows service panel - find and select the CA Spectrum installed Apache service and change the assigned service account to a "limited" (local / non_local) account. When doing this the Windows service verification will grant automatically the required "service rights" to enable this account to be able to host the service-context.
In addition - and this is important - you have to grant the now assigned "service account" to the $SPECROOT/apache/logs and the $SPECROOT/apache/tmp for read/write permission.