A service isn't going to be prompting for credentials on UAC systems.
They're denied access to the desktop. Running as system and impersonating
seems like the way to go when required.
--
Phil Wilson
The Definitive Guide to Windows Installer
http://www.apress.com/book/view/1590592972
"Phil Sanderson" <> wrote in message
news:32E631CB-31D9-4899-A12F-...
> Hi, we're producing a system service for Windows Server 2008. One of the
> tasks of the service is to create a user and a group. The service runs as
> a
> minimally-privileged user created on installation. This service user is
> added to the Power Users group, as specified in the documentation for,
> say,
> NetLocalGroupAdd. The service's executable also has a manifest with
> "requireAdministrator" execution level. However, none of this is
> sufficient
> and we get ERROR_ACCESS_DENIED (5) returned by NetLocalGroupAdd. The
> server
> is free-standing (i.e. not a member or controller of a domain).
>
> What am I missing? I can understand membership of Power Users not being
> enough, but what about the evelation requested by the manifest? UAC is
> configured to prompt for credentials when a user requires elevation, but
> how
> does that work when the application is a non-interactive system service?
> Should we just run the service as LocalSystem and impersonate the
> lower-privileged user?
>
> I'd be very grateful for any assistance, thank you.
Linear Mode
