Please note: The requirements described below are not requirements of the agent. They are requirements of the environment.
Nolio Agents on Windows are required to run as an AD account (i.e. Log On As is set to some account in Active Directory and NOT set to LOCAL SYSTEM).
Recent changes to policy: We are not able to grant Active Directory accounts standing Local Administrator privileges on Windows servers, instead the account must be given a defined set of lower level permissions.
The agent is configured to start as the type of account described above. This user account is configured with the necessary permissions to successfully stop certain services. However, when using the action "Start Windows Service" to try and start the service the action fails and we get error Action [Start Windows Service] failed: Failed to open service manager Access is denied.
Service Controller Manager needs users to be a part of the local Administrators group.
Release : 6.6
Component : CA RELEASE AUTOMATION CORE
The fix is included in 6.6.5 (b10292) / 6.7.1 (b124) cumulative fixes.
The following list of services was impacted with the fix:
Start Windows Service
Stop Windows Service
Check Service Status
Check if Service Exists
Change Credentials for Windows Service
Delete a Windows Service
Install Windows Service
With the fix we are requesting the minimum rights which are required to run it. Below you may find the list of privileges required for each action:
Start Windows Service: SC_MANAGER_ENUMERATE_SERVICE, SERVICE_QUERY_STATUS, SERVICE_QUERY_CONFIG, SERVICE_START
Stop Windows Service: SC_MANAGER_ENUMERATE_SERVICE, SERVICE_QUERY_STATUS, SERVICE_QUERY_CONFIG, SERVICE_STOP
Check Service Status: SC_MANAGER_ENUMERATE_SERVICE, SERVICE_QUERY_STATUS, SERVICE_QUERY_CONFIG
Check if Service Exists: SC_MANAGER_ENUMERATE_SERVICE, SERVICE_QUERY_STATUS, SERVICE_QUERY_CONFIG
Change Credentials for Windows Service: SC_MANAGER_ENUMERATE_SERVICE, SERVICE_QUERY_STATUS, SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG
Delete a Windows Service: SC_MANAGER_ENUMERATE_SERVICE, SERVICE_QUERY_STATUS, SERVICE_QUERY_CONFIG, SERVICE_DELETE, SERVICE_STOP
Install Windows Service: SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_CREATE_SERVICE, SERVICE_QUERY_STATUS
Details regarding all access rights may be found with this link https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights