Does this site look plain?

This site uses advanced css techniques

Services Shortcut

YOU DON'T WANT TO DO THIS

Though the technical steps documented in this Evo Tip are correct, in practice we have found maintaining this to be much too much trouble over time (having to deal with it on every upgrade), so we no longer use this practice. Instead we simply define the printers locally via a Standard TCP/IP Printing port and avoid the whole issue of rights.

With the Garfield release of the Evolution payroll service-bureau system, the middle-tier systems rely on Windows services rather than programs running on the desktop. The Package Server, Registration Daemon, and Remote Access Server are among those serviced in this way.

By default, services run in the context of LOCAL\SYSTEM, which has unrestricted access to the local machine, but there are two limitations to this approach:

Ordinary users can't kill a LOCAL\SYSTEM processes
This comes into play when a service gets stuck, usually in the "Stopping" state. Since a LOCAL\SYSTEM process can't be terminated by a logged-on user — even the Administrator — the only alternative is to reboot the entire machine.
They have no access to Windows network resources
Though these processes are able to perform essentially any TCP/IP networking task, LOCAL\SYSTEM processes do not have access to Windows networked resources such as fileservers or network printers. This manifests itself as missing printers in the Registration Daemon setup.

To ameliorate either or both of these limitations, it's possible to configure the services to automatically logon with a user account (with a password!) at startup, giving it rights to access those resources — including printers.

Finding a suitable Windows account

Before configuring the service to logon as a user, an account must be established for the service to use. It's possible to use the local Administrator account, but this is a poor idea (especially if it's the domain Administrator).

Better is to define a new user — perhaps EvoServer — to have full administrative rights on the Evolution middle-tier systems, limited rights to required network resources elsewhere (for printers, mainly), and no rights anywhere else. This limits just what can be done on the network should the credentials be compromised.

Those with a Windows domain controller can create a domain account which will more easily allow the Evolution servers to access network resouces. They can also be deployed with Group Policy.

For this Evo Tip, we'll be using the fictional account PAYROLLWIZ\EvoServer in our example.

Configuring the Service

These changes are made in the Services control-panel applet, which of course requires local administrative privileges. Select the service of interest, right-click and select Properties.

Finding the service

Select the Log On tab at the top, then click the second radio button and enter the account name. We're using PAYROLLWIZ\EvoServer, but those using the local administrator account — probably not a good security practice — would enter .\Administrator. The password must be entered twice.

Service LogOn Tag

It's common to receive a dialog box popup saying that the account has been granted Logon-as-service rights: this is expected and necessary.

With these steps completed, the service is now prepared to logon as the specified user next time it starts, but it doesn't apply to any currently running service: one must Restart the service for these credentials to take effect.

We'll note that the account name and password are used anew each time the service starts (including at boot time), so if the account's password is changed, so must the logon information. If the password doesn't validate, either because it was entered wrong, or it was changed in the User Manager, then the service will fail to start. This is another reason to use a separate, purpose-made logon account so that routine password rotation of administrator accounts doesn't invalidate critical services.

Defining Printers

Even though the service has been granted network logon rights, there still must be printers defined for that user in order for them to be seen by the Registration Daemon. Because Windows stores printer definitions on a per-user basis, one must perform a one-time configuration of network printers for the service-account user.

To do this, login on the server running the Registration Daemon using the service account (DOMAIN\EvoServer or the proper Administrator account), open the "Printers and Faxes" control-panel applet. For each printer used by Evolution, perform the "Add Network Printer" procedure: printers not used by Evolution need not be added.

Performing Evolution Upgrades

When a new release of Garfield is issued by iSystems, the file containing the updates is presented to the Evolution Version Service. Activation of a new version is done internally by uninstalling and reinstalling each service, and this has the effect of reverting all services to use the LOCAL\SYSTEM account.

After every upgrade, all services must be reconfigured with the logon information, and this applies to every Windows middle-tier server on which an applicable service is deployed. The Registration Daemon is found only on the main server, but there can be Package Servers on more than one.

The Registration Daemon requires this treatment in order to have access to network printers, but Package Servers only need it to allow a user to kill a hung process: there are no functional reasons why Package Servers require this, and we expect that most Service Bureaus will only treat the Registration Daemon specially this way.

Automating this procedure

Since this process must be re-applied after each Evolution version upgrade, it can get tedious to walk through all these steps every time, so we've written a small program in VBScript that uses the WMI interface to automate it.

This file can be saved to the desktop, but it must be edited to contain the account credentials used on the system in question. Only placeholder information is present now, and the logon (and service start) will surely fail if left unchanged.

evoRegdServiceLogon.vbs
...

serviceUser = "PAYROLLWIZ\EvoServer"     ' *EDIT THIS*
servicePass = "secretword"                ' *EDIT THIS*

...

Remember to restart the service(s) after this update.

NOTE: It's not a particularly good security practice to put account passwords in cleartext, so this strongly suggests that one should limit the logon account as much as possible (i.e., don't use a domain administrator account, don't use the same password for this account and for any other, etc.)

This information is not furnished, supported, or endorsed by iSystems, LLC.

First published: 2005/08/22