Asked By Phil Sanderson
19-Nov-09 08:40 AM
Hi, we are producing a system service for Windows Server 2008. One of the
tasks of the service is to create a user and a group. The service runs as a
minimally-privileged user created on installation. This service user is
added to the Power Users group, as specified in the documentation for, say,
NetLocalGroupAdd. The service's executable also has a manifest with
and we get ERROR_ACCESS_DENIED (5) returned by NetLocalGroupAdd. The server
is free-standing (i.e. not a member or controller of a domain).
What am I missing? I can understand membership of Power Users not being
enough, but what about the evelation requested by the manifest? UAC is
configured to prompt for credentials when a user requires elevation, but how
does that work when the application is a non-interactive system service?
Should we just run the service as LocalSystem and impersonate the
lower-privileged user?
I'd be very grateful for any assistance, thank you.