I want to install a TeamCity BuildAgend as a user. When entering my user credentials here:
I always get this error:
NOTE: My account (user) is Administrator with full permission!
How can I do this?
The error message says it does not have "enough rights to run as a service",
this is slightly different from just being an administrator.
Go to Control Panel> Administrative Tools> Local Security Policy.
Select Local Policies> User Rights Assignment.
Scroll down through the list of policies and look for Log on as a service.
Add the account you're using to the list of accounts with this right.
That should in theory be all you need to allow the service to run under that user.
The best powershell command that I have found for this is:
Grant-Privilege -Identity $SERVICE_USERNAME -Privilege SeServiceLogonRight
Requires use of the Carbon framework.
I'm a Windows 10 Home user and the steps above did not work for me, but the following did:
Enable gpedit.msc by running the batch file as explained here under Method 1: https://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/
Run gpedit.msc
Go to Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
Double-click Log on as a service
On the window that appears, click Add User or Group...
Enter your username and click the Check Names button
Your name will be modified, adding the machine name as the prefix. Click OK
Click OK on the Log on as a service Properties window to apply the change.
It is a little bit of a pain, but after doing that, I was able to continue installing TeamCity
Related
I have written my own windows service which interacts with a SQL database and updates it. The service was running fine and seems to be functioning correctly, however of late it seems to go down at random times and cannot restart due to the error designated in the question. I have tried various searches to fix this, but unfortunately I have come up with nothing. The aim is to eventually having this service running on my companies server, but I can't adjust any server settings, I am but a user on the server, so I have restrictions to some settings.
Any quick fixes, would be helpful!
Open the Services Manager. ( Win + R, then type services.msc )
Then right click on the SQL Server process and click Properties
Then go to Log On, and select This account:
Then click Browse, and add your username in the box. (Notice it should contain the domain, in my case is AD\myusername), then Check Names and accept.
Finally type your password in the other two fields, and that's it, you should have permission to start your process now.
Cheers!!
One issue for us was the format of the account user name, we initially used
domain\username
and got the 1069-logon error, then ultimately I tried validating the user name in the properties | logon tab of the Service (in Control Panel / Service Manager), using the "Browse" and "Search" for the user name and it turned it suggested and validated ok with the reverse format
username#domain
This also worked and resolved the 1069 error, and let us script the startup using sc.exe.
Error 1069 is vague and can have different causes. I am sharing my experience here.
I encountered this error when trying to get a service to run under my account (I am trying to get my services to see the same LocalDB as interactive processes running on my account for development purposes). I use an MSA (Microsoft Account) with Windows’s PIN login normally, so I rarely enter my Windows password. To resolve the issue, I locked my screen, selected Password input instead of PIN input, and then entered my password. I assume this somehow reminded Windows what my password was and made my local account more legit.
Before doing this, you need to configure the user account in question to have the Logon as Service privilege. To do this, open the Group Policy Editor. Expand Computer / Windows Configuration / Security Configuration / Local Policies / User Permissions Assignment and then open Login as Service. From there, you can add your user in question.
also check for "Deny Logon service" policy.
user should not be added over there
We had this issue as well because the account was set so that the password expired. After we updated the account to not expire and set the password this error stopped.
The account could also be locked out. To unlock it, you only need to change that user's password (new and old password can be the same).
What also worked for me was re-entering the password in the services->LogOn window. Even when you think the account and password is correct, re-entering it will re-grant the account permission to log on as a service.
I'm writing a script that periodically checks that certain services are running on remote workstations. I'm having a devil of a time getting an "SC \workst1 query" command working from one test machine to another. Both machines are running XP pro SP3. Neither is part of a domain. Both are in the same workgroup, and the administrator accounts have the same passwords.
I keep getting the "[SC] OpenSCManager FAILED 5: Access is denied" message, from either workstation to the other. I have tried using elevated privileges on both. Windows firewall software is turned off. There are no messages are showing up in the Event security logs. When (as administrator) I try going to "Computer Management" -> "connect to another computer" and access the remote services I get "Error 5 Access is denied".
I can set up a filesystem share between the two machines successfully, and "net use \workst1\IPC$ /user:Administrator" completes successfully, but the SC query still fails. I'm using IP addresses and not hostnames in these commands, but that doesn't help. I don't know what else to try. Thanks for the help.
Try to run the commans as a Administrator
start-> (type cmd in search box), right click on cmd, Run as a administrator -> execute your command
You must have administrative rights on the remote machine.
Moreover you must access the drive before calling "sc".
This can be achieved in command line using
net use \\remotemachine\admin$ <password> /user:<username>
admin$ is a hidden shared drive accessible to administrators that "sc" uses to control services.
I was having the same issue today trying to check if a service is enabled remotely.
I could solve the issue modifying the User Account Control for remote restrictions in windows:
To disable UAC remote restrictions, follow these steps:
Click Start, click Run, type regedit, and then press ENTER.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
If the LocalAccountTokenFilterPolicy registry entry does not exist,
follow these steps:
On the Edit menu, point to New, and then click DWORD Value. Type LocalAccountTokenFilterPolicy, and then press ENTER.
Right-click LocalAccountTokenFilterPolicy, and then click Modify. In the Value data box, type 1, and then click OK.
Exit Registry Editor.
More information about this solution in this site.
Your user should be remote, from Manage and Local users and groups
The UAC issue is obvious you have to pull down the lever for UAC setting
Also while installing the services you can use the following command
SC create SERVICENAME DisplayName= "DISPLAYNAME" binPath= "PATH OF EXE" start= disabled type= share
When you try to log into SSRS's root site at http:// (servername)/Reports it displays:
User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
This is on a 64 bit edition of Windows 8 Pro, running SQL Server 2008 enterprise. Everything should be using the local system as the account of execution.
I have tried changing the execution account as my user which is admin, I have added the site as the trusted site, I have UAC turned completely off, I have tried to hit the site with IE AS ADMIN, Chrome, and Firefox. Everything I try the site states back that I don't have the rights. I go into SQL Server and ensure my roles are everything for my user. It does not care. I am currently reinstalling the SSRS node of the SQL Server install but am curious if anyone else had this issue yet.
I am going to try to change my account to a 'local' account as I am thinking that may be an issue yet I don't understand why SQL Server can recognize my login integrated just fine. Honestly I never ran into this and am wondering if this is an issue just with Windows 8 accessing SQL Server 2008. I would upgrade but I have a full version of SQL Server 2008 and not of 2012 so I am hesitant to just upgrade unless Express 2012 will come with Business Intelligence Development Studio and SSRS site with tools.
EDIT: 3-8-2016:
No answer with: "Just turn on site settings" is valid as this is the first time installing as the admin of the server or machine locally and not able to access the landing page as that admin.
No answer with: "Just run IE as admin" will work last I tested that.
Answers with "Trusted SITE settings MAY WORK" on Windows 8 and higher as I had a similar problem to this with Windows 10 and on Windows 10 it did fix it. I am not going to rollback two OS versions to check at home though, sorry.
I don't get how this question can be existing for a while and people are now on a mission to claim it is duplicate when the very answer is different than the potential duplicate. That whole thread deals with someone able to get into the site with elevated permission and just not setting up roles and users after the fact. This is the main user of the machine not getting to the landing page as an admin to the site listed as the default landing. Not even the same ballpark. Getting into a page as an admin to let local users in versus the highest level God user not getting in is not the same.
Everything in this answer is true but don't reinstall all of SSRS thats nonsense...
Windows 8
Disable UAC
Enable Administrator Account (You can go to Control Panel > Computer Management > Users)
Restart PC
Run IE ad Administrator when prompted login with your local Administrator account you enabled.
You will need to adjust site settings security and folder settings security. Easy fast fix just add "Everyone" in both of those with full rights.
Problem solved!
I ran into the same issue myself but with Windows 7 and SQL Server 2008. I resolved the issue following the instructions from Suresh Kumar's blog post at http://skamie.wordpress.com/2010/06/24/ssrs-and-uac/
In a nutshell here are the steps you need to take to resolve this issue:
Start your browser using 'run as Administrator'.
Navigate to the report manager and under Site Settings -> Security assign your account or the local administrators group to the System Administration role.
Then navigate to the home folder and under the security settings assign your account or the local administrators group to the Browser, Conent Manager, My Reports, Publisher and Report Builder roles.
Now you should be able to run your browser as normal and access SSRS without any issues.
Okay this is really annoying what needed to be done but here goes.
From what I kept reading Windows 8 does not by default enable the default administrator account.
I usually don't use this account but in this case I was desperate as my account could not get in.
I understand ONCE YOU ARE IN you can set the site settings, that does not help if you cannot even see the site's main landing page to see that setting.
The steps I took to finally resolve were;
Uninstall SSRS Node COMPLETELY by going to control panel>SQL Server 2008>Remove>Check Reporting Services
Enable default admin account: command prompt>run as administrator>net user administrator p#ssw0rD, hit enter.
New line: net user administrator /active:yes
Reboot
Reinstall SSRS from disc with logging in as default administrator
Install SP3 as administrator
Go to IE.exe DIRECTLY in Windows 8: C:\Program Files\Internet Explorer\iexplore.exe>Run as administrator.
Go to http:// (servername)/Reports
You SHOULD now be able to finally see site settings. NOW YOU CAN FOLLOW everyone's directions of adding YOUR USER under site settings. Also go to folder permissions and add the user as a default here as well.
(optional) For safety I would hide the default admin account now by using step 2 but substitute /active:no in.
If your main admin can't open the door, no one is getting in. That was the main issue I was having. My default admin could not get in. Now everything is working fine and dandy like it should with deploying from BIDS as well.
I had the same problem on my Windows 8 system (32 bit) with SQL Server 2008R2. When I started IE using 'run as Administrator' it still asked for a user name and password and resulted in "user does not have permissions"-error when I entered my user name and password. This is what fixed it for me:
I disabled UAC in the registry (Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to 0). I first set notify-level under Control Panel | System and Security | Change User Account Control to the lowest level but that didn't make any difference.
After reboot I started IE using 'run as Administrator'. Went to Report Manager | Site Settings | Security: added my account as System administrator.
Still in Report Manager I went to Home | Folder Settings and added my account with role Content Manager.
I enabled UAC through Control Panel | System and Security | Change User Account Control settings by setting it to default level again. (Reboot required)
When I run IE as Administrator now and supply my user name and password it does show the homepage of the report manager.
Run Internet Explorer as administrator (right click on the Taskbar icon)
Step 1 :: Add your local username to the Site Settings security roles page. (Security - System Administrator)
Step 2 :: Add your local username to the Folder Settings on the home page. (Select Content Manager)
Close the Administrator IE session.
Open IE in normal mode under your user account.
Windows 8.1
I resolved this with help from the answer by Austin McLaughlin posted earlier. In my case I had been logged in with a local account that had administrator privileges, but attempting to http://127.0.0.1/Reports (hearinafter referred to as "the Reporting Services Manager") produced the error reported by the OP.
The key for me was that the Administrator account was disabled by default in my Windows 8.1 laptop. Note that I did not originally have Windows 8.1 Pro, so there was no "Local Users and Groups" under "Computer Management". Thus, I had to purchase the Windows 8.1 Pro Pack online from MS for $100.
In Windows Explorer, right click on the Computer node and select "Manage".
Navigate to Local Users and Groups > Users
Right click on Administrator and select Properties
De-select "Account is disabled"
Restart PC
Log in to the PC as Administrator (I did not have to enter a password for the Administrator account on first login.)
From the desktop, run IE. No need to run as Administrator, of course, since you logged in as Administrator.
Navigate to the Reporting Services Manager.
At this point you should be logged in to the Report Administrator and on the Home screen. I had not been able to get this far before.
On the Home screen, click "New Role Assignment"
In "Group or user name", enter the local administrator account you use for development; i.e.: [yourmachine]\[username]
Select all the checkboxes (shortcut is to click the checkbox to the left of "Role") and click OK.
In the upper right hand side of the page, click Site Settings.
On the left side of the page, click Security.
Click "New Role Assignment"
In "Group or user name" enter the same account as in step 10
Check "System Administrator" checkbox and click OK
As a precaution, disable the Administrator account that you enabled in step 4.
Log out, then back in with your local account from step 10.
In IE, browse to the Reporting Services Manager. Note: It was not necessary for me to start IE as Administrator.
At this point you should be able to access Reporting Services Manager page, and configure reporting services further.
Change service account type as "Network Service" in service account tab then stop and start service and run IE as Administrator.
From Reporting Services Configuration Manager you can get to the node Report Manager Url. The URL works from this screen. Now you can use the Folder Settings to add yourself as a Content Manager, etc... Now the url will work for your user.
In IE, just add Add the reporting services website to "Local intranet" sites.
That's it.
Just open IE as Run As Administrator and just type URL as http://localhost/reports
My coworker is trying to register some COM components (which I wrote) via RegAsm.exe and it says he needs Administrator privileges. His account has admin privileges but he is not logged in as Administrator. Is there a way to use his regular user account and succeed at this task?
I work in an environment/jurisdiction where giving local admin access to all users is simply not possible (legal/compliance/regulations will not allow).
It appears there is no equivalent of this function in .NET world: AtlSetPerUserRegistration
Try this: Using regasm, generate the registry entries with /regfile argument. By default, registry entries should use HKEY_CLASSES_ROOT (HKCR) as a root. Modify the entries (manually, or by script) to use HKEY_CURRENT_USER (HKCU).
Finally, distribute your .NET DLL with the registry script. You can still run regedit without admin rights to register your .NET DLL. Manually from the command line, using a batch file, or a (tiny) separate installation program can handle the registration.
Admin privileges are required to allow Regasm.exe to update the registry. If this is a UAC restriction then create a shortcut on the desktop for cmd.exe and check the "Run this program as an administrator" checkbox. Or change this setting on the Visual Studio Command Prompt shortcut, that's easier.
I think this question belongs elsewhere, but Windows uses least privilege so if he is a user that is both a normal user and an Administrator than he gets normal user privileges. Use runas to make this work or right click the item and "run as administrator"
Why don't you use registration free com? Its only been supported since 2003 and obviates the need for UAC / administrative access to install COM components.
With RegFree COM you can just bundle the COM dlls with the application that uses them as a private assembly - but that doesn't mean they can't be properly installed - either in the registry or in WinSxS by the final deployment install.exe/msi
Subtext wrt the actual query: no - COM registration is in the HKEY_LOCAL_MACHINE key that always requires administrative access.
I lied: Actually you can. If you create a application with no manifest at all, Windows deduces that its an XP era application that expects administrative access to run and will activate a compatibility mode that, amongst other features, redirects write access to HKLM to a writable location under HKCU. So the COM component registration "succeeds" - but is registered for the current user only.
Im not sure why the ability to register for just the current account isn't supported generally outside the compatibility framework.
Check this out: https://gist.github.com/florentbr/6be960752fc852ee99eece6b4acb8ba7
I was trying to do the same thing and was about to give up when I came upon it.
It's a cmd script that will register the SeleniumBasic.dll in the registry without having admin privileges. With a bit of work you should be able to repurpose the code to register your COM components.
Many, many thanks to Florent Breheret for SeleniumBasic and this cmd script to register it!
I am logged into an account that has Administrator privileges. But RegAsm.exe still says it needs Administrator privileges.
[From some notes I have for Windows 2008 R2. Confirm on other Windows operating systems that support UAC. The following assumes that you are permitted to make changes to the Local Security Policy. ]
In its default configuration, User Account Control (UAC) settings give the local Administrator full privileges, but restrict the privileges of other members of the Administrators group. To lift the UAC restrictions on other members of the Administrators group, do the following:
Select Start -> All Programs -> Administrative Tools -> Local Security Policy.
Select Local Policies -> Security Options.
In the right panel, double-click the third entry from the bottom which reads User Account Control: Run all administrators in Admin Approval Mode.
Click Disabled.
Click OK to close the dialog and close the Local Security Policy configuration tool.
Reboot the computer to complete this change to the UAC settings.
How can I stop and then restart an IIS 7 application pool from an MSBuild script running inside TeamCity. I want to deploy our nightly builds to an IIS server for out testers to view.
I have tried using appcmd like so:
appcmd stop apppool /apppool.name:MYAPP-POOL
... but I have run into elevation issues in Windows 2008 that so far have stopped me from being able to run that command from my TeamCity build process because Windows 2008 requires elevation in order to run appcmd.
If I do not stop the application pool before I copy my files to the web server my MSBuild script is unable to copy the files to the server.
Has anybody else seen and solved this issue when deploying web sites to IIS from TeamCity?
This article describes using an htm file named App_offline.htm to take a site offline. Once the IIS detectes this file in the root of a web application directory,
ASP.NET 2.0 will shut-down the application, unload the application
domain from the server, and stop processing any new incoming requests
for that application.
In App_offline-htm, you can put a user-friendly message indicating that the site is currently under maintainance.
Jason Lee shows the MSDeploy calls you need to use (plus much more about integrating these steps in your build scripts!).
MSDeploy
-verb:sync
-source:contentPath="[absolute_path]App_offline-Template.htm"
-dest:contentPath="name_of_site/App_offline.htm",computerName="copmuter_name",
username=user_with_administrative priviliges,password=passwort
After deployment you can remove the App_offline.htm file using the following call:
MSDeploy
-verb:delete
-dest:contentPath="name_of_site/App_offline.htm",computerName="computer_name",
username=user_with_administrative_priviliges,password=passwort
The msbuild community tasks includes an AppPoolController that appears to do what you want (though as noted it is dated and at present only supports IIS6.) An example:
<AppPoolController ApplicationPoolName="MyAppPool" Action="Restart" />
Note that you can also provide a username and password if necessary.
Edit: Just noticed that the MSBuild Extension Pack has an Iis7AppPool task that is probably more appropriate.
this is the fairly hackey workaround I ended up using:
1) Set up a limited-access account for your service to run as. Since I'm running a CruiseControl.NET service, I'll call my user 'ccnet'. He does NOT have admin rights.
2) Make a new local user account, and assign to the Administrators group (I'll call him 'iis_helper' for this example). Give him some password, and set it to never expire.
3) Change iis_helper's access permissions to NOT allow local login or remote desktop login, and anything else you might want to do to lock down this account.
4) Log in (either locally or through remote desktop) as your non-admin user, 'ccnet' in this example.
5) Open a command terminal, and use the 'runas' command to execute whatever it is that needs to be run escalated. Use the /savecred option. Specify your new administrative user.
runas /savecred /user:MYMACHINE\iis_helper "C:\Windows\System32\inetsrv\appcmd.exe"
The first time it will prompt you for 'iis_helper's password. After that, it will be stored thanks to the /savecred option (this is why we're running it once from a real command prompt, so we can enter the password once).
6) Assuming that command executed OK, you can now log out. I then logged back in as a local admin and turned off the 'ccnet' user for local interactive login, and remote desktop. The account is only used to run a service, but no real logins. This isnt a mandatory step.
7) Set up your service to run as your user account ('ccnet').
8) Configure whatever service is running (CruiseControl.NET in my case) to execute the 'runas' command instead of 'appcmd.exe' directly, the same as before:
replace:
"C:\Windows\System32\inetsrv\appcmd.exe" start site "My Super Site"
with:
runas /savecred /user:MYMACHINE\iis_helper "\"C:\Windows\System32\inetsrv\appcmd.exe\" start site \"My Super Site\""
The thing to note there is that the command should be in one set of quotes, with all the inner quotes escaped (slash-quote).
9) Test, call it a day, hit the local pub.
Edit: I apparently did #9 in the wrong order and had a few too many before testing...
This method also doesn't completely work. It does attempt to run as the administrative account, however it still runs as a non-escalated process under the administrative user, so still no admin permissions. I didn't initially catch the failure because the 'runas' command spawns a separate cmd window then closes right away, so I wasn't seeing the failure output.
Its starting to seem like the only real possibility might be writing a windows service that will run as admin, and its only purpose is to run appcmd.exe, then somehow call that service to start/stop IIS.
Isn't it great how UAC is there to secure things, but in actuality just unsecures more servers, because anything you want to do you have to do as admin, so its easier to just always run everything as admin and forget it?
You can try changing the Build Agent Service settings to log-on as a normal user account instead of SYSTEM (the default), this can be done from the services control panel (Start | Run | services.msc).
If it doesn't help, you can also try configuring the appcmd to always run elevated, refer to this document for details.
In case such option is not available for appcmd or it still doesn't work, you can disable UAC completely for this user.
Here you go. You can use this from CC.NET with NAnt or just with NAnt:
http://nantcontrib.sourceforge.net/release/latest/help/tasks/iisapppool.html