Best practice for service running as local user

Yihong Zhang 0 Reputation points Microsoft Employee
2024-09-30T20:16:38.74+00:00

We are working on changing our .NET service from admin to local user. We want to know if there is anything we can follow to deal with issues regarding losing admin privilege.

Here is our application manifest:

<Principals>
    <Users>
        <User Name="ServiceLocalUser">
            <MemberOf>
                <SystemGroup Name="Users" />
            </MemberOf>
        </User>
    </Users>
</Principals>
<Policies>
    <DefaultRunAsPolicy UserRef="ServiceLocalUser" />
</Policies>

which creates a WinFabApplication|ServiceLocalUser| user starting with WF- running our service.

We have to make some change to adopt the change to service local user, however there is something we are not able to figure out how to do. i.e. we have some netsh command must be running as admin, and it stops working after changing to local user because it requires elevated command. I am not able to find a way to make it working after I changed it to elevated command which requires "runas" opens a User Account Control (UAC) prompt, which requires an interactive user session.

System.ComponentModel.Win32Exception (0x80004005): This operation requires an interactive window station

Does Service Fabric have some local user which still has privilege to run elevated command? Or is there any example how to setup .NET service with local user that requires admin privilege?

Azure Service Fabric
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
272 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.