Microsoft Windows Server Security Discussions
 
Windows Server 2008
(1)
Windows Installer
(1)
LocalSystem
(1)
RequireAdministrator
(1)
UAC
(1)

System service and UAC

Asked By Phil Sanderson
20-Nov-09 08:13 AM
Reply
Hi, we are producing a system service for Windows Server 2008.  One of the
tasks of the service is to create a user and a group.  The service runs as a
minimally-privileged user created on installation.  This service user is
added to the Power Users group, as specified in the documentation for,  say,
NetLocalGroupAdd.  The service's executable also has a manifest with
and we get ERROR_ACCESS_DENIED (5) returned by NetLocalGroupAdd.  The  server
is free-standing (i.e. not a member or controller of a domain).

What am I missing?  I can understand membership of Power Users not being
enough, but what about the evelation requested by the manifest?  UAC is
configured to prompt for credentials when a user requires elevation, but how
does that work when the application is a non-interactive system service?
Should we just run the service as LocalSystem and impersonate the
lower-privileged user?

I'd be very grateful for any assistance, thank you.

A service is not going to be prompting for credentials on UAC systems.

Wilson, Phil replied to Phil Sanderson
20-Nov-09 12:51 PM
Reply
A service is not going to be prompting for credentials on UAC systems.
They're denied access to the desktop. Running as system and impersonating
seems like the way to go when required.
--
Phil Wilson
The Definitive Guide to Windows Installer
http://www.apress.com/book/view/1590592972
Previous Discussion:  how to renew the certificates issued by standalone windows 2003 se
Post Question To EggHeadCafe