Re: Running STSADM without being in local Administrator group?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jim Duncan (nospam_at_leavemealone.pls)
Date: 09/21/04 

Date: Tue, 21 Sep 2004 11:00:00 -0700

Hi Jim,

Try adding the service account to the following groups:
IIS_WPG
STS_WPG

Also, experiment with giving the account the following rights (if not
already assigned):
Log on as a batch job
Log on as a service
Replace a process level token (a guess only)

If that doesn't work, try running the process under the same account used
for the Identity of the Application Pool for the Admin site.

Let us know if any of the above work... 

-- 
Jim Duncan
Collutions, Inc.
"Jim McCusker" <google.10.jmccusker@xoxy.net> wrote in message
news:a4d01b4a.0409210754.39a17be6@posting.google.com...
> I have a nightly process that uses STSADM.EXE using a domain service
> account.  This process works if I place the service account into the
> local Administrators group, but I haven't been able to get it working
> outside of this group.
>
> First off, the service account is able to execute STSADM, but I get an
> error message of "Access denied." when my service account is not in
> the Admin group.
>
> When this occurs I get a failure audit in the Application Event Log:
>
> Privileged Service Called:
>   Server: Security
>   Service: -
>   Primary User Name: MyServiceAcct
>   Primary Domain:         MyDomain
>   Primary Logon ID: (0x0,0x3816DBD)
>   Client User Name: -
>   Client Domain: -
>   Client Logon ID: -
>   Privileges: SeCreateGlobalPrivilege
>
> I rectified this by adding my service account to the Local Policies,
> User Rights group "Create global objects".
>
> Now the audit logs show that my service account successfully gets the
> privilege but I still get "Access denied" whenever I try to run STSADM
> (even without any command line parameters).
>
> Has anyone else run into this?  I'd like to be able to run this
> process with the service account and no have the service account in my
> local admin group on the SPS/WSS server.
>
>   --Jim

Relevant Pages

  • Re: LDAP Authentication for Single Sign On
    ... So no authentication is required when performing bind operations only ... If I do find that I have to create a service account can you steer me ... If the client doesn't support anything other than a simple ... That isn't really necessarily part of the authentication though. ...
    (microsoft.public.windows.server.active_directory)
  • exchange 5.5 nt4 domain change pop3 and imap user authentication problem
    ... and the service account also changed to a account in the new domain. ... A required privilege is not held by the client ... Exchange Server Service Account. ...
    (microsoft.public.exchange.setup)
  • Re: OraClient and .NET Managed PRovider usage from within Service
    ... prepacked software solution component. ... Already I logged on using the service account and checked that the ORA Data ... You will have to install the Oracle ... client libraries on the machine, but once you have the client ...
    (microsoft.public.dotnet.framework.adonet)
  • RE: How to Authenticate to WCF Service Via VPN
    ... \par From your description, you're encountering some problem when calling a WCF service from a client which use a VPN connection to the server's domain environment, correct? ... The client endpoint ... \par includes the service account identity as a user principal name. ... \par mutual authentication is assumed. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Access is denied Push Installation
    ... seen error 5 codes on machines that no longer exist in the domain, ... IP has been leased to a new client. ... >> The service account is a domain admin there for it has ... >> SMS Client Configuration Manager cannot connect to the ...
    (microsoft.public.sms.admin)