hi,
i have a tiny app that installs a service. it works fine when i install it and dont specify a username and password. it therefore installs and starts under the local system account.

my goal is to get it to start using a particular account \\europa\sysRB. when i specify the account and the password i get the following error when i try to install:-

Error 1920.Service TestService failed to start. Verify that you have sufficient privileges to start system services.

Can anyone explain what i need to do get this to work?

Did you grant that account the right to run as a service? If I recall, the ServiceInstall action doesn't do this. Go to MMC | Services and change the service from LocalSystem to the account you mentioned and you should see a pop-up that says it was granted the right. Then uninstall and run your install.... if it works, that was your problem.

thx for the help, you are spot on.
what i need now is to add this piece of mmc work into my package so it is all automated.

its a long shot but do you have any cmd line or vbs that i can use to give the user europa\sysRb the ability to install, start and run services on the destination box?

You want to grant the SeServiceLogonRight to the SID of the domain account.

I never actually coded this because the only time I've ever needed this was at Continental Airlines and we solved the problem by adding the right to a Group Policy Object that was associated to the OU that contained all of our targets.

I don't know if it's redistributable or not, but there is an EXE out there called ntrights.exe that does the trick nicely. Search this forum and you'll find some InstallScript examples. Otherwise I also found a KB article explaining how to do it in striaght C++/Win32 if you don't want to redist the ntrights.exe.

http://support.microsoft.com/kb/132958

There is also some C# examples out there, but I was having a hard time finding VBScript examples for some reason. Seems that the ADSI/WMI classes don't expose this but I'm not 100% certain on that.

stealth,

I have the same issue. Did you find a resolution to this?

hi lostboy,
have had to put this on the back burner for the moment but i was nearly there, thanks to the posts above and some research.
you need to use ntrights.exe and use the cmd line below.
this will give the user myAccID the ability to start services.
Ensure you do this action before you start the service in your sequence.
I have not tested this yet but i am 90% sure it will work.
let me know how you fair out!

YourPath\NTRIGHTS.EXE -u myAccID +r SeServiceLogonRight

stealth,

I've had limited success so far, in the sense that the call seemed to have worked (no errors during the ntrights call), but I still encounter the error during the InstallServices phase. I had the script run on After InstallODBC during Immediate Execution. I don't know if this is the right place to put the calls, but I can tell you it's not in the UI phase because it has to be a silent install (but should it be in Deferred Exec? - not sure).

My code scripts are here:

function AllowLogonUser(hMSI)
STRING szUsername;
NUMBER nBuffer;
begin
MsiGetProperty(hMSI, "UNAME", szUsername, nBuffer);
EnableStartServiceRights(hMSI, szUsername);
end;

function EnableStartServiceRights(hMSI, szUser)
NUMBER nvStatus;
begin
// Run the installation in a normal Window;
// Per IS Help ("LaunchAndWait"):
// After InstallShield launches the application, it searches for the
// window handle of the launched application. If it finds the window
// handle and the LAAW_OPTION_WAIT option is specified, it waits until
// the application window disappears before continuing.

Enable (BACKGROUND);
Enable (DEFWINDOWMODE);

if (LaunchAppAndWait (SUPPORTDIR^"ntrights.exe", "-u " + szUser + " +r SeServiceLogonRight", WAIT) < 0) then
nvStatus = ERROR_INSTALL_FAILURE;
else
nvStatus = ERROR_SUCCESS;
endif;

return nvStatus;
end;


The partial log file output:

... SNIP ...

MSI (s) (A0:40) [10:58:24:789]: Doing action: imm_iss_EnableStartServiceRights
Action 10:58:24: imm_iss_EnableStartServiceRights.
Action start 10:58:24: imm_iss_EnableStartServiceRights.
MSI (s) (A0:3C) [10:58:24:914]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI436.tmp, Entrypoint: f3
InstallShield 10:58:24: Running InstallScript function f3
InstallShield 10:58:25: Using temp folder E:\TEMP\{8F607EF4-98EC-456A-9797-BDB55D6D91E9}
InstallShield 10:58:25: Installing engine...
InstallShield 10:58:25: Using product language 1033
InstallShield 10:58:25: Extracting support file setup.inx to E:\TEMP\{8F607EF4-98EC-456A-9797-BDB55D6D91E9}\setup.inx
InstallShield 10:58:25: Opening stream of file C:\WINDOWS\Installer\MSI436.tmp
InstallShield 10:58:25: Extracting support file ISRT.dll to E:\TEMP\{8F607EF4-98EC-456A-9797-BDB55D6D91E9}\ISRT.dll
InstallShield 10:58:25: Extracting support file IsConfig.ini to E:\TEMP\{8F607EF4-98EC-456A-9797-BDB55D6D91E9}\IsConfig.ini
InstallShield 10:58:25: Extracting support file _isres1033.dll to E:\TEMP\{8F607EF4-98EC-456A-9797-BDB55D6D91E9}\_isres.dll
InstallShield 10:58:25: Extracting support file String1033.txt to E:\TEMP\{8F607EF4-98EC-456A-9797-BDB55D6D91E9}\String1033.txt
InstallShield 10:58:26: Skipping optional support file _isuser1033.dll
InstallShield 10:58:26: Setting script cmdline...
InstallShield 10:58:26: Using ISSCRIPTDEBUG: 1
InstallShield 10:58:26: ProductCode is {C76E7338-DDE3-4718-BE16-431B27133DE0}
InstallShield 10:58:26: Initializing Engine
InstallShield 10:58:26: Done Initializing...
InstallShield 10:58:26: Registering Msi Server...
InstallShield 10:58:26: Invoking script function AllowLogonUser
InstallShield 10:58:28: CallScriptFunctionFromMsiCA() ends
Action ended 10:58:28: imm_iss_EnableStartServiceRights. Return value 1.
MSI (s) (A0:40) [10:58:28:742]: Doing action: RegisterTypeLibraries

... SNIP ...

Action 10:58:32: InstallServices. Installing new services
MSI (s) (A0:40) [10:58:32:211]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
MSI (s) (A0:40) [10:58:32:211]: Executing op: ServiceInstall(Name=MyWinService,DisplayName=MyWinService,ImagePath=E:\MyApps\MyWinService\My.ServiceHost.exe,ServiceType=272,StartType=2,ErrorControl=1,,,,StartName=SOMEUSER,Password=**********,Description=My Windows Service)
Error 1923.Service MyWinService (MyWinService) could not be installed. Verify that you have sufficient privileges to install system services.
MSI (s) (A0:40) [10:58:37:867]: Product: MyWinService -- Error 1923.Service MyWinService (MyWinService) could not be installed. Verify that you have sufficient privileges to install system services.

Are you sure you want to cancel?
Action ended 10:58:39: InstallFinalize. Return value 3.

... SNIP ...

Hopfeully, you or another guru in this forum can help me figure this one out. Thanks!

Execute sequence is correct since you want to be able to support silent installs.

Considering you need Admin privs to grant the user right to the account, Immeadiate execution would not be correct for two reasons:

1) Immeadiate runs with impersantion so on a managed ( elevated ) install the CA wouldn't have enough priv to execute. Also on Vista it would fail because of the split token unless you bootstrap the whole package to run as Admin.

2) Immeadiate is not transactional... you can't rollback the granting of permission if the install is aborted

You need to create a immediate/ deffered ( system context ) pattern with rollback and uninstall capabilities. The deferred CA also needs to be sequenced before the service installation standard custom action.

Chris,

Thanks for clarifying some of that for me. Here's what I tried as a process of elimination:

1. Went to Group Policy manager and allowed my user [UNAME] to logon as a service.
2. Disabled the call to ntrights.exe in IS.
3. Ensured that the [UNAME] and [PASSWORD] properties (passed in via cmdline) is in the "Install NT Service" section (with the []).

When I ran the Basic MSI, I still get the error at the InstallServices point. So even if the user account was already allowed to "logon as a service", I still have this error. I'm starting to wonder if since I'm using user-defined properties, they may have to be passed in via CustomActionData (maybe it executes in Deferred mode)?

If I leave the "User Name" and "Password" fields blank, no problem.

No, you can put user and pass in the service table and it'll work... it's only in your CA's that you need to pass the informtation that way.

BTW I remember some other fun from `the old days`.... this service account, sometimes people/processes would lock the password on the domain and it would unlock after a few minutes. The result was an install that would fail but then work a few minutes later.

Is there anyway you can refactor your service so that it runs as LocalSystem but then uses impersonation to do whatever it needs the service account for? That would be the cleaner way to solve all of this probably.

Chris,

Unfortunately, refactoring is not an option. That's how the servers are set up and to change it would involve affecting over 1700 machines. And, of course, everyone gives short notice but wants it yesterday. :o

Well, if a public property can be added to the service table without any other changes, then I'm even more stumped. I talked to the server guys and, yes, the user account is allowed "logon as service" rights on the servers. So it's just a matter of putting the username and password into the service table, I would think.

I'm going to take another look at the Control NT Services to see if I missed something.

I'm running out of ideas.

Everything else looks fine, and the MSI runs without a hitch if the "User Name" and "Password" fields in "Install NT Services" are left blank (ie, run as LocalSystem). As soon as I put in "[UNAME]" and "[PASSWORD]" (public properties with values obtained via cmd line), it blows chunks ("Verify that you have sufficient privileges to install system services").

Somebody must have gone through this before...? :(

OK, found my problem...and it's a silly one. I forgot to set "Interact with Desktop" to "No".

*sigh* I amaze myself sometimes... Well, better late than never! :o