What is the least set of privileges required that an account needs to be assigned in order to install a service using sc.exe? With account privileges I mean Local Security Settings in Windows Server 2003.
This service needs to be installed as part of a deployment script and is done remotely to said server by issuing something like the following command:
sc \\<server> create <servicename> binPath=<directory\service.exe> start=auto
Installing a service remotely requires no privileges on the target machine except the right to log on. But the account used must have the SC_MANAGER_CREATE_SERVICE access right on the Service Control Manager on the machine. This right is by default only given to members of the Administrators group. So by default the installing account must be an administrator on the target machine.
For systems prior to Windows Server 2003 SP1 (i.e W2K3, XP, W2K, etc.) the SCM security descriptor cannot be altered so this is the end of the story - you must be an administrator to install a service.
For W2K3 SP1 and later, if you do not want to run the script as an administrator then you could modify the security descriptor on the Service Control Manager for the target machine to include an ACE for the account the script runs under with the appropriate right(s). In general though, you would probably be better off re-thinking your deployment process to use an administrative account for service installation.
Related
On my new Windows 10, as I am trying to install Jenkins, I encountered following prompt:
Since I don't know what local or domain user creds to enter, I keep on getting following error:
Error logging on DESKTOP-xxxx\user: The user name or password is incorrect
From reading the official doc, I am understanding that this is something new that Jenkins installer is doing for running as a Windows service, but where do I find these credentials on Windows?
Most of the applications when installed on Windows OS may want to run as a service using either the local system account or a specific account which needs specific permissions on the OS. Please use any local admin account which already there on the system where you are trying to install Jenkins. If the system is joined to a domain, prefer to use an domain account which has admin privileges on the system.
The worst advice to grand admin permissions for a single service.
You need to use local existing credentials from your windows system (if it's not connected to a domain) or a domain creds. Don't use admin creds for the installation.
I was installing the filebeat application and I noticed that I needed to run powershell as administrator in order to install them. When I checked the service using wmic service get name,startname,status it showed Local System. I'm wondering what this account is as this is neither the user account or the administrator account. Will this always be the case when I install services as administrator? What is the difference if I install it as a normal user and as administrator?
In any case, I've set this service to start automatically when windows start. Would this service start only when the user I used to install it logs in or will it start regardless of which user logs in?
OK, let's unpack that one by one, in no particular order:
Only a user with administrator rights can install a service.
Services that are configured to start automatically are started as soon as Windows is up and running; Windows does not wait until somebody logs in. It makes no difference to the service who the logged-on user is, or whether anybody is logged in at all, unless the service application itself has been explicitly programmed to check.
The program that installs the service decides what account the service uses to run. Windows doesn't care what user account was used to install the service, it doesn't even keep track.
If the program that installs the service wants it to use an ordinary user account, it must know the password for that account. There are various special accounts that a service can run in, these accounts do not require a password. One of these special accounts is Local System.
Local System is the highest-privilege service account in Windows; it has all the same rights as an administrator, and can do things an administrator can't. Local System is also the account that the user-mode part of Windows itself runs in, roughly equivalent to the UNIX root account except that it doesn't have a password.
Additional notes, for completeness:
One alternative to Local System is for the service to run as Local Service or as Network Service, which are non-administrative service accounts. The only difference between the two is that if the computer is joined to an Active Directory domain, the Network Service account has network access to other machines in the domain and the Local Service account does not.
It is also possible to configure a service to run in a special service account that is unique to that particular service. This is mostly useful if you want the service to have access to a particular file or folder, but do not want to give it administrator rights.
Nitpickers corner:
It is I believe technically possible to reconfigure Windows to allow non-administrators to install services, but this is not supported and would be a Very Bad Idea. If you did, though, it would still make no difference who installed the service. Windows doesn't record this information.
Running a rather large network with an MDT deployment server. I currently have another person who works with me registered as a 'Enterprise Administrator'. Part of his job is imaging machines. Currently I have it set so that devices that need imaging are set as 'Pending' until allowed within Windows Deployment Services.
When the EAdmin tries to open the 'pending devices' tab of WDS, he gets an access is denied message.
How do I go about delegating permissions to use WDS to this user?
(Server 2012)
Solved.
Needed to add the user in to the LOCAL administrator's group for the deployment server.
How can I configure Visual Studio remote debugging when:
My developer machine is a member of an AD domain, and my username is "DevelopersName".
The "remote" machine is on the same Ethernet segment, but is not part of the domain.
The "remote" machine must run software under "RemoteUserName".
Most documentation I can find suggests that you need have both machines in the same domain and with identical usernames. That's not possible here.
I could possibly add my username to "remote", but the software still needs to run under "RemoteUserName.
If it helps, I could add 2nd network card to my developer machine and directly connect the "remote" machine.
Using VS2008, but will be moving soon to VS2010.
Thank you.
Sorry, but I've just spent the last 10 hours trying to debug your exact problem. My findings are not good.
You need to get your accounts synced, especially if you are using your remote app to connect to other systems in your SOA environment, ie: Sharepoint, AD.
You can to some extent get remote debugging to work, if you create an account on your local machine with the same name as that of your remote machine (lets do it like this rather rather than working with the domain account).
You then need to make sure the remote service is running under this account, and its a member of the administrators group. And by this I mean hold down control, and right click run as - with the remote debugger, and select the user (not required if remote server is logged in as the required user).
Run the wizard it will open the required ports, use Authentication, because non authentication won't debug managed code. Breakpoints are never met, and there is nothing you can do about this.
On your local dev machine, log off your domain account, and log onto the local account with matching name as the account on server thats running the remote service.
Now you stand a change of remote debugging. If you can't do any of the above, sorry there is no workaround, its entirely dependent on the user account and having the right permissions.
If you don't want to create a local account, try starting our debugger via command prompt using the following command:
runas /user:[user#machinename] /netonly [debugger.exe]
E.g.:
runas /user:john#mypc123 /netonly devenv.exe
I assume it's managed debugging you're talking about (for native debugging there's a remote debugging solution with no authentication). In this case, I would suggest that you use a local user to launch the debugger on your machine. If this local user's name and password match "RemoteUserName"'s name and password, it should work.
(Note that this does not preclude you from using the AD account to log in to your workstation, you just need to set up another account and use runas to launch Visual Studio.)
I have a script written in Visual Basic that starts a process (given to the script as an argument) on a remote system (again, given as an argument) using WMI. This script works fine when using an Administrator account on the remote system, but when using a non-administrator account, I get the following error:
ConnectServer Failed w/ (-2147024891) Access is denied.
I'd like to be able to run processes on remote systems as a non-administrator user with this script, and I'm pretty sure the problem is due to security settings on the remote system, but I've not been able to reset the right ones.
It sounds like you need to configure launch and activation permissions for this user, on the target machine, via DCOMCNFG. By default non-admin users do not have remote launch and activiation permissions.
Alternatively, depending on the operating system you are connecting to, there may be a "Distributed COM Users" group to which you can add your user. This group already has the appropriate permissions. The Distributed COM Users group was first included in Windows Server 2003 Service Pack 1 (DCOM Security Enhancements).
You can read more about WMI and DCOM permissions here. More detailed steps on how to configure WMI and DCOM are included in the serverfault thread Which permissions/rights does a user need to have WMI access on remote machines?.