Restrict user to only run programs on Windows server 2012 R2

0

I have a situation here I hope You can help me with. I have a Database running on a Windows Server 2012 R2 with a specific user account. Same user account is running a Windows Service. This Service does some work, and does some updates on the DB. This works quite good so far.

Now this Service has to run an external process at some point. And I do that with ProcessStartInfo And Process.Start. Which gives the following exception:

System.ComponentModel.Win32Exception (0x80004005): Access is denied at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo) at System.Diagnostics.Process.Start() at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)

According to this stackoverflow answer I have to add this user (Active directory user) to the server. As it is now, the user doesn't have access to the server.

And I actually want to keep it this way and only give the user access to start processes (programs) without having access to the server.

Is that possible or am I on a wrong path?

Control Panel >> User Accounts >> Manage User Acconts >> Add... will probably do the work, but I have no idea which level of access I have to choose in the list of access levels.

Nawed Nabi Zada

Posted 2016-10-20T10:29:49.723

Reputation: 101

You will need to give him enough permissions to run said program. So probably normal user rights? It sounds like it's a service so you should create a service user rather than use a regular user account. Nobody should login with a service account so there shouldn't be an issue? – Seth – 2016-10-20T12:19:39.980

@Seth How do I do that? I cannot create the user directly in this server, it has to be in Active directory, and this user is only member of Domain Users security group. I don't really see a type for Users. Can only create User which I can assign to different security groups. – Nawed Nabi Zada – 2016-10-20T12:56:06.403

Yes it would be an AD user but not an account a real person would be working with. Depending on the application you want to run you could give that user some more local permissions on that specific server. – Seth – 2016-10-20T13:14:26.487

Answers

0

Ok, I think the Exception is a little bit misleading. It seemed like the user wasn't allowed to run the application, but the real problem was that the user didn't had any access to the Directory where the application was located.

  • Changing the security settings of the folder to allow Read & Execute rights to the user will fix this problem.

This way there is no need to add the user to the server.

Nawed Nabi Zada

Posted 2016-10-20T10:29:49.723

Reputation: 101

Asked: 2016-10-20T10:29:49.723

Viewed: 1 227 times

Active: 2016-10-24T06:14:41.820