Hi all,
I'm using a slightly modified version of MS' LsaPrivs as a custom action to set the Log On As right for a user on a service I'm creating during an installation.
Essentially, LsaPrivs (MS Platform SDK) will grant the SeServiceLogonRight to allow the service to successfully log on and run as a specified user.
When it is run from the command line (logged in as Administrator) it will successfully grant and revoke the privilege. When it is run during an install (by the same user) it will also successfully grant the privilege; but on an uninstall the call to revoke completes, but fails to actually revoke the privilege.
Is there any difference between the permissions held by the installer during an uninstall? Is there something else I'm missing? Does anyone have any experience with better/different way of granting/revoking this permission?
Thanks in advance for any insight!!
This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Permission difference during uninstall?
Started by
JeffR
, Jun 07 2004 04:32
3 replies to this topic
Glytzhkof
-
- Moderators
- 1,447 posts
Posted 07 June 2004 - 04:48
I don't have a solution for you, but if you are using a domain account to run the service, I suppose it is possible that active directory needs to be updated for the change to be visible, and this may take some time and not show up immediately?
Can I ask why this service needs to be run by the user, this seems highly unusal?
Can I ask why this service needs to be run by the user, this seems highly unusal?
Regards
-Stein Åsmul
-Stein Åsmul
JeffR
-
- Members
- 4 posts
Posted 07 June 2004 - 17:23
The reason for the domain user is we are installing a service that will sit on some arbitrary machine in the domain and basically poll (a) Domain Controller(s) for information, then send it on to another server. In order to allow the domain admins to be able to appropriately have full control of this user's access rights and other privileges we are allowing them to specify the user that the service will run as.
Allowing the service to run with the standard 'system' privileges is much more access than the service needs and would pose a security threat. Also, the system privileges only allows for anonymous network access, which again is an unacceptable security risk to any educated domain admin.
You're correct about the propagation times of some changes made to policy settings, but again, during the install the privilege is correctly (and immediately) set. When lsaprivs.exe is run manually it also correctly and immediately sets/revokes the priv. The problem is only during an uninstall. I know the custom action is being run, and with the correct arguments, it just isn't revoking the privilege. ??
Glytzhkof
-
- Moderators
- 1,447 posts
Posted 08 June 2004 - 15:07
Thank you for the details. Interesting case. I do know that many companies scan for lsaprivs.exe and try to disable it. Might be safer to use a different name for the file (also since you seem to have modified it).
There is no way to attack this problem without a proper log file. Please see info here and generate a log file: http://www.installsi...ifaq/a/1022.htm
There is no way to attack this problem without a proper log file. Please see info here and generate a log file: http://www.installsi...ifaq/a/1022.htm
Regards
-Stein Åsmul
-Stein Åsmul