- we have two environments, staging and production, both running a windows service.
- we use a build server to deploy a certain windows service via MSDeploy
- part of the build steps is running a CMD script that checks, if the service is running and when true, tries to stop it via "net stop xxx'
- the build agent runs under a domain account
- MSDeploy is using NTLM authentication
For both the production and staging environments, the build agent user has the same rights, altough the "net stop xxx" only works in one environment.
In onve environment, the "net stop" command fails with "System error 5, access is denied".
User permissions for the service control commands are set via subinacl utility.
I have tried various permissions, non of them work completely:
- TOP permissions cause the user not to be able to read service status
- F or TOPS are okay to read the service status, but cannot stop or start the service - error 5 access denied always comes up
- for F, subinacl shows following output: "/pace =foo\bar ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS"
- both stop and start commands are "Access denied"
Is there any other permission or server roles needed for the user to be able to start/stop a service? We do not want to give the build agent user administrative privileges.
Update:
I have digged a bit deeper. Using procmon, the commands net and net1 are all success, but with exit status code 2.
Also, while running the scripts locally with the same user account via runas, the service is stopped/started just alright, so it seems related to be somehow related to MSDeploy impersonation.
