I'm trying to set up a Windows service with the following requirements:
- Runs as a domain account - this account has access to other shares that the process will touch
- Has full administrative rights on the machine, past UAC - specifically needs to be able to take ownership of folders
The problem is that the process needs to take ownership of folders at some points, which is done by calling takeown /A /F <file>
. This works on the command line, but only when it's explicitly Run as Administrator
- being a local admin on the machine does not give full admin rights, and the account still has to go through the UAC prompt, so when running as a service we just get ERROR: The current logged on user does not have administrative privileges.
. It seems like the standard way to get around UAC for a service account is to use the Local System
account, but that isn't an option because then we can't access the other servers.
Is there any way to set up the service and say "Run as this account, in the context of a full administrator on the machine"? As another potential solution, is there a way to exclude a domain account from UAC on a machine? Any other solution could work as long as it runs as a service, can set folder ownership, and using a domain account. Ideally this is done without opening up big security holes, like fully disabling UAC on the machine.
I am not able to reproduce your problem. Here is how I tested.
Part 1: Create sample directory with non-administrator owner
C:\TestDir
NT SERVICE\TrustedInstaller
full control accessNT SERVICE\TrustedInstaller
Administrators
andSYSTEM
accounts to have read accessAfter complete, verify that, logged on as elevated administrator, I am not able to create a file in that directory.
Part 2: Create a service that takes ownership of the directory
I did this using nssm (https://nssm.cc):
Create a short batch file,
C:\scripts\TestService.cmd
, containing thetakeown
command:takeown /F C:\TestDir /A
Run
nssm install
and specify:C:\Windows\System32\cmd.exe
/C C:\scripts\TestService.cmd
Stop service (oneshot mode)
Administrators
groupC:\scripts\TestService-stdout.log
C:\scripts\TestService-stderr.log
I started the service, which executed the
C:\scripts\TestService.cmd
batch file. (The service stopped immediately after starting, which is expected in this case.) The standard output fileC:\scripts\TestService-stdout.log
contained the following lines:This experiment demonstrates that a service running using an account that's a member of the local
Administrators
group runs elevated (i.e., with full administrative privileges).