Granting Service Control Privileges for Inedo Product’s Web Applications
IMPORTANT: using the built-in service command (i.e. ProGet.Service.exe AllowServiceControl
) to allow service control has been deprecated because
it does not work reliably on all versions of Windows, and may cause undesired affects (see troubleshooting).
Granting Service Control via subinacl.exe
- Download and install
subinacl.msi
from: https://www.microsoft.com/en-us/download/details.aspx?id=23510 - Once installed, invoke the tool specifying the
{service-name}
and{user-account}
as follows in an elevated command prompt or PowerShell window:&"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service {service-name} /grant="{user-account}"=F
Note: Common
{user-account}
values include:NT AUTHORITY\Network Service
,domain\userName
, andIIS APPPOOL\ProGet
-
You should see output similar to the following:
INEDOPROGETSVC : new ace for iis apppool\proget INEDOPROGETSVC : 1 change(s) Elapsed Time: 00 00:00:00 Done: 1, Modified 1, Failed 0, Syntax errors 0 Last Done : INEDOPROGETSVC
If the message does not indicate failure, the web application should now be able to control and transfer messages to and from the server.
Troubleshooting
If there are still problems with the service, it can be uninstalled and re-installed by running the service executable itself, for example:
&"C:\Program Files\ProGet\Service\ProGet.Service.exe" uninstall &"C:\Program Files\ProGet\Service\ProGet.Service.exe" install
“Error granting service control privileges: Access is Denied” message:
Ensure the command prompt or PowerShell console is running as Administrator when attempting to re-install.
If that still doesn’t resolve the issue, see the guidance below to reset the ACL.
ADVANCED: Resetting the Service’s ACL
If that still doesn’t resolve the issue, the ACL
may be malformed. The symptom of this is that the service doesn’t appear installed via a PowerShell Get-Service
command,
and it is not visible in the Service Control Manager.
The ACL can be reset with the following administrator PowerShell command that removes all ACEs from the service:
PS> Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\{service-name}\Security"
Once that registry key is deleted, this operation will require a reboot of the server that the product is installed on. After a reboot,
the service should be able to be uninstalled and re-installed using the initial troubleshooting commands above, followed by
running subinacl.exe
as originally instructed.
Deprecated Method
Refer to this table – depending on which product you are using, enter the coinciding name, or abbreviation, into each space that has a red [product’s name] or [service].
The Inedo Product You’re Using | [product’s name] | [service] |
BuildMaster | bmservice | |
ProGet | ProGet.Service | |
Otter | Otter.Service |
In order to be able to restart a Windows service, you normally need to be running as a machine administrator. However, it may not be desirable or even permitted to run the [product’s name] web application as an administrator account in your environment. This means that you will not be able to control the service using the web interface.
If you see a message similar to:
The [product’s name] web application does not have sufficient privileges to restart the [product’s name] service.
…then you will need to grant the user account which is running the web application permission to start and stop the service. The easiest way to do this is to navigate the command prompt to the service install directory (default: C:\[product’s name]\Service) and run the following command:
[service].exe AllowServiceControl /User=[WebAppUserName]
Where [WebAppUserName] is the user account which the [product’s name] web application is running under (the AppPool user for IIS).
Note that you must run this command as an administrator.