Windows Server - System service and UAC

Asked By Phil Sanderson

20-Nov-09 08:13 AM

Hi, we are producing a system service for Windows Server 2008.  One of the
tasks of the service is to create a user and a group.  The service runs as a
minimally-privileged user created on installation.  This service user is
added to the Power Users group, as specified in the documentation for,  say,
NetLocalGroupAdd.  The service's executable also has a manifest with
and we get ERROR_ACCESS_DENIED (5) returned by NetLocalGroupAdd.  The  server
is free-standing (i.e. not a member or controller of a domain).

What am I missing?  I can understand membership of Power Users not being
enough, but what about the evelation requested by the manifest?  UAC is
configured to prompt for credentials when a user requires elevation, but how
does that work when the application is a non-interactive system service?
Should we just run the service as LocalSystem and impersonate the
lower-privileged user?

I'd be very grateful for any assistance, thank you.

20-Nov-09 12:51 PM

A service is not going to be prompting for credentials on UAC systems.
They're denied access to the desktop. Running as system and impersonating
seems like the way to go when required.
--
Phil Wilson
The Definitive Guide to Windows Installer
http://www.apress.com/book/view/1590592972