I have one task about get a file by external path (UNC).
I check this file on exists in Install Action with permissions of current domain user. After that I save this path for using in my application.
My application is a fat jar that runs as a service (Action 'Install a service').
After install process service try to run application but not successfully because windows-service run as local user instead domain user.
After that I try to stop service and manually run service with user domain credentials.
So... Can install4j run service with with domain rights without additional actions with credentials? I don't want to ask users for their login and password.
The user accounts that are available out of the box are "Local system", "Local service" and "Network service", these can be selected in the "Account" property of the "Install a service" action.
If you select "Other", you have to fill in the "Account Name or SID" child property.
Related
I'm trying to set up a Windows service with the following requirements:
Runs as a domain account - this account has access to other shares that the process will touch
Has full administrative rights on the machine, past UAC - specifically needs to be able to take ownership of folders
The problem is that the process needs to take ownership of folders at some points, which is done by calling takeown /A /F <file>. This works on the command line, but only when it's explicitly Run as Administrator - being a local admin on the machine does not give full admin rights, and the account still has to go through the UAC prompt, so when running as a service we just get ERROR: The current logged on user does not have administrative privileges.. It seems like the standard way to get around UAC for a service account is to use the Local System account, but that isn't an option because then we can't access the other servers.
Is there any way to set up the service and say "Run as this account, in the context of a full administrator on the machine"? As another potential solution, is there a way to exclude a domain account from UAC on a machine? Any other solution could work as long as it runs as a service, can set folder ownership, and using a domain account. Ideally this is done without opening up big security holes, like fully disabling UAC on the machine.
I am not able to reproduce your problem. Here is how I tested.
Part 1: Create sample directory with non-administrator owner
Create directory C:\TestDir
Disable permission inheritance and copy inherited permissions into explicit permissions
Grant NT SERVICE\TrustedInstaller full control access
Set owner of directory to NT SERVICE\TrustedInstaller
Set Administrators and SYSTEM accounts to have read access
Remove access for all other accounts
After complete, verify that, logged on as elevated administrator, I am not able to create a file in that directory.
Part 2: Create a service that takes ownership of the directory
I did this using nssm (https://nssm.cc):
Create a short batch file, C:\scripts\TestService.cmd, containing the takeown command:
takeown /F C:\TestDir /A
Run nssm install and specify:
Application path: C:\Windows\System32\cmd.exe
Arguments: /C C:\scripts\TestService.cmd
Restart action: Stop service (oneshot mode)
Log on: Specify username and password of an account that's a member of the local Administrators group
stdout redirection: C:\scripts\TestService-stdout.log
stderr redirection: C:\scripts\TestService-stderr.log
I started the service, which executed the C:\scripts\TestService.cmd batch file. (The service stopped immediately after starting, which is expected in this case.) The standard output file C:\scripts\TestService-stdout.log contained the following lines:
C:\Windows\System32>takeown /F C:\TestDir /A
SUCCESS: The file (or folder): "C:\TestDir" now owned by the administrators group.
This experiment demonstrates that a service running using an account that's a member of the local Administrators group runs elevated (i.e., with full administrative privileges).
I am trying to setup Team Foundation Server Build Automation in my local desktop. I am giving my credentials the service to be run as and my credentials has Admin privileges for the Team Collection as per the IT team. But I am getting the below error
[ Verify that the running account has the required Team Foundation
Server permissions ] Failed to create BuildServiceHost object. User
DOMAIN\MyUsername needs the 'ManageBuildResources' permission.
What am I missing here?
Seems you provided your personal domain account in Build Service Properties window as the Build Service account.
Just as the error info mentioned, please double check the account's permission in your Team Project Collection level, ensure it has the Manage build resource permission. You could ask your TFS admin using tf permission command to list all related info.
Moreover the Build Service account usually add in [CollectionName]\Project Collection Build Service Account group. If you haven't join this group, then add your account.
I am running jenkins by extracting the jenkins.war file.I have installed role based authorization strategy plugin for jenkins security.I have created a admin who has full access to jenkins.And I have created users who have access to only their projects.But when I close the command prompt and run jenkins.war again and login as admin I find admin does not having any privilages and the users i have created does not have any access to the privilages.What might be the problem.Is there something I am doing wrong.Please help
I'm not sure if this is proper place for such question (maybe should be placed on SuperUser?), but I'll try.
I have one C# console application and one Windows service. Both does the same, but console app was created before and is kept for backward compatibility. Each of these is running WCF service, whose methods operates on files in C:\ProgramData\MyApp. Console app is run as limited user (non-admin), Windows service runs as NT AUTHORITY\NETWORK SERVICE. When app creates some dirs/files, service cannot delete it and vice versa.
I would like to have it secured. My question is: should I grant full permissions on C:\ProgramData\MyApp to NETWORK SERVICE and current user? Or should I create dedicated user for running service/app?
Assuming your application does not set explicit security permission on newly created files, granting Network Service account Delete permissions on the folder would solve your immediate problem.
This command will do the work:
icacls c:\ProgramData\MyApp /t /grant "NETWORK SERVICE":(OI)(CI)(IO)D
Repeat the same for your other user service account.
I'd like to write a service (that starts up and runs whenever the machine is on) that queries Active directory since the user IIS uses does not have permission to query AD. How do I determine if A) my workstation where I have local admin rights, and B) a shared team workstation will allow me to do this?
Anything you can do as an interactive user can be done by a service with appropriate permissions and configuration, so it isn't so much an issue of determining if you can, but rather configuring the service so that it can.
Your installation package should request an appropriate set of credentials (and of course must be run by a user with privileges to install such a service). The service itself should simply catch and log any permission exceptions.
As an example - look at the SQL Server installation process. Early on it requests that you specify accounts with the required privileges.