5

I want to run a process (not a service) under a different user on a Microsoft Windows Server and I need the minimal set of rights which are needed to do so.

The minimal set of rights is required, because this user should not be able to login and access only required resources.

Something like this should work:

Start-Process -Credential $cred -FilePath calc.exe

I studied the User Rights Policies, but without a noteworthy success.

hdev
  • 630
  • 7
  • 17
  • Do you want the minimal rights for the user that the process will use, or the rights needed for a user to start a process as another user? If the former, I think you will want "Log on as batch job". Note that there are other rights or privileges that might be required for the process to be able to do what it is intended to do. – Todd Wilcox Mar 01 '16 at 16:08
  • UserA has a few rights, for example can login with RDP, now UserA want to start a Process as UserB. Because UserB is very restricted and can only see a few ressources. – hdev Mar 01 '16 at 16:13
  • So are you looking for the rights that User A needs to start the process or the rights that User B needs to be usable to run the process? – Todd Wilcox Mar 01 '16 at 16:15
  • 1
    The right User B needs to be usable to run the process. – hdev Mar 01 '16 at 16:18
  • 1
    As I've outlined in my heavily edited answer, it can depend on what the process needs to do. For instance, I expect running calc.exe in an interactive window so one can do calculations with it would require "Allow log on locally". However, a process that runs in the background likely would not need that right. If you want to expand your question with details about the exact process you have in mind, you will probably be able to get better answers. – Todd Wilcox Mar 01 '16 at 16:30

2 Answers2

3

Referring to the comments, I think User B needs at least the "Log on as a batch job" right. If the process running under User B's credentials is meant to accomplish certain tasks, then additional rights or privileges may need to be granted to User B for those tasks to function correctly.

This article lists rights and privleges and details cases where a right or privilege may be needed for certain tasks: https://technet.microsoft.com/en-us/library/cc755971(v=ws.10).aspx

It seems what you may be trying to do is allow a process to run as User B on a computer even though User B cannot log on interactively due to User B having the "Deny log on locally" right or not being a member of a group that has the "Allow log on locally" right.

"Log on as batch job" would allow User B to be used for processes initiated by Task Scheduler. It's possible that trying to launch a process in an interactive session (i.e., logged on as User A) with a user that only has batch job rights and does not have interactive rights will fail. In this case, "Allow log on locally" granted to User B should enable the use of User B for the process. The only catch is then User B can log on interactively, which is probably not desired.

A workaround might be to "trivially schedule" the job. Instead of User A actually running the command, User A sets up a task schedule job that they then set to run in one minute (or something).

Todd Wilcox
  • 2,831
  • 2
  • 19
  • 31
  • Its not a windows service, its a process for example calc.exe. Or is there no differentiation. – hdev Mar 01 '16 at 16:07
  • 1
    User B will have to have Log on interactively to just use Run As out of the box and interact with the user interface. No way around that I know. Log on as batch job is designed for non-interactive applications. – user339468 Mar 01 '16 at 20:19
1

You need read/execute permissions on the program file itself, read permissions on any files the program needs to read, and write permissions to anywhere the program needs to write. It's not all that different from *nix, really.

Joel Coel
  • 12,910
  • 13
  • 61
  • 99