|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
logon as service privilege problemI have a small c# code to install a windows service. The service is running on a domain user account which got created in the code just before the service created. I did some testing and got a very strange error: In my tese environment, I have three machines as a domain (2 machines got AD, and another one just work as a workstation or file server). When I test my code on the machines got AD on, everything is good. But when I test my code on the file server (without AD installed), I got windows service failed to start "Logon failure: account currently disabled" error. The service was created and user was created. I checked the account detail and it was sure that the account was neither disabled or locked out. I did some debugging and if I manually change the logon info for the service, I will get a message "The user has been granted logon as service". So does this mean that I need to splicitly give the user "logon as service" privilage before I use it to start the service? I have some doubts on this, because I don't need to do this on my two AD machines. Many Thanks Jerry Yes, any account that will execute a service must have log on as a service
privilege. If you are creating this account and want to ensure that this account will have that privilege, you probably also need to programmatically enable that. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- <D***@HOTMAIL.COM> wrote in message news:1178979467.691732.295190@q75g2000hsh.googlegroups.com... > Hello, > > I have a small c# code to install a windows service. The service is > running on a domain user account which got created in the code just > before the service created. > > I did some testing and got a very strange error: > > In my tese environment, I have three machines as a domain (2 machines > got AD, and another one just work as a workstation or file server). > > When I test my code on the machines got AD on, everything is good. > > But when I test my code on the file server (without AD installed), I > got windows service failed to start "Logon failure: account currently > disabled" error. The service was created and user was created. I > checked the account detail and it was sure that the account was > neither disabled or locked out. > > I did some debugging and if I manually change the logon info for the > service, I will get a message "The user has been granted logon as > service". So does this mean that I need to splicitly give the user > "logon as service" privilage before I use it to start the service? I > have some doubts on this, because I don't need to do this on my two AD > machines. > > Many Thanks > > Jerry > On 13 May, 04:17, "Joe Kaplan"
<joseph.e.kap***@removethis.accenture.com> wrote: Show quoteHide quote > Yes, any account that will execute a service must have log on as a service Thanks Joe.> privilege. If you are creating this account and want to ensure that this > account will have that privilege, you probably also need to programmatically > enable that. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net > --<D***@HOTMAIL.COM> wrote in message > > news:1178979467.691732.295190@q75g2000hsh.googlegroups.com... > > > Hello, > > > I have a small c# code to install a windows service. The service is > > running on a domain user account which got created in the code just > > before the service created. > > > I did some testing and got a very strange error: > > > In my tese environment, I have three machines as a domain (2 machines > > got AD, and another one just work as a workstation or file server). > > > When I test my code on the machines got AD on, everything is good. > > > But when I test my code on the file server (without AD installed), I > > got windows service failed to start "Logon failure: account currently > > disabled" error. The service was created and user was created. I > > checked the account detail and it was sure that the account was > > neither disabled or locked out. > > > I did some debugging and if I manually change the logon info for the > > service, I will get a message "The user has been granted logon as > > service". So does this mean that I need to splicitly give the user > > "logon as service" privilage before I use it to start the service? I > > have some doubts on this, because I don't need to do this on my two AD > > machines. > > > Many Thanks > > > Jerry But why I do not need to programmingly assign the right on my test AD machines (at least from my test I don't need to do it)? Any idea with it? Thanks Is the ID already in a group that has that privilege? Something must be
granting that privilege. It could have also been set manually previously. Note that you don't have to set this programmatically during your installation if you don't mind setting is manually. I was just suggesting that you might want to do that to ensure that it will work. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > > Thanks Joe. > But why I do not need to programmingly assign the right on my test AD > machines (at least from my test I don't need to do it)? Any idea with > it? > > Thanks > 
Other interesting topics
TcpChannel under .NET 2.0
Newbie question Accessing certificate store from ASP.NET web project Triple DES keys distribution NegotiateStream delegation issue (or a bug?) FullTrust Assemblies X509 signed xml validates in .NET 2.0 but not in 1.1 Acced Adctive Directory in separate domain PermissionSetAttribute XmlSerialization Cannot encrypt web.config appSettings on virtual directory |
|||||||||||||||||||||||
