2

I created a Windows Service that starts a program in the background and makes sure a webapplication needs no further installation.

When I start this service in the administrator account, the background program launches nice and quitly and runs under the user name

https://i.stack.imgur.com/bEZaW.png

Everything works perfect, I can just visit the site without extra information and so on.

It also works when I log out, and log in with a different admin.

HOWEVER, it doesn't work under standard user of the domain. the process does start, but not under SYSTEM (but blank user name) and so the background program launches, but not with the correct user name.

Why is this? And what do I need to change so that all the standard users who log in also have this service ran as admin?

Kahn Kah
  • 144
  • 6

1 Answers1

1

I suspect the issue is this: The SYSTEM account only has local (not domain or network) auth, so when a normal user logs in, it can't spawn or command any processes already running at elevated rights. This is a feature, not a bug - can't have user or guest accounts making calls to root-level processes without some kind of abstraction layer to keep those users/guests from elevating themselves.

If I may offer an alternative method: create an account that has the appropriate permissions to modify the web app, administer it, etc, and run your service under those creds. Lock out this account for Interactive use (no one can log in using it) and ensure it doesn't have rights to the whole system, just the web app and appropriate resources including your upgrade checker program.

Since you're checking update status of your web app, rather than triggering a check on user log in, run it (again with the service account above) as a Scheduled Task. That way you don't need a specific service running to launch your upgrade background task when a user hits the site, instead it's scanned and upgraded on a set schedule, already in background.

George Erhard
  • 814
  • 6
  • 12