I have a Windows service that is installed using the Visual Studio (2008) installer. I wanted to avoid running as System, so I have been manually 1) creating a new Windows account on the computer and 2) entering in the computername\username and password during installation.
I would like to have this require little user intervention, so I am interested in creating a new Windows user and automatically supplying the computer name, username, and password.
How would I accomplish this?
I think this will jeopardize user's security and if the service application is permitted to do this, it's also a bad practice. It'll also break the current security credentials.
As far as I know, any kind of windows service is running a task that is supposed to be background task and it's always running in the background. And it's always created with this intent: running background task and it's always running, therefore any kinds of dangerous actions that require user permission (i.e., user has to be aware of) such as creating new user.
If I'm not mistaken, then by all means, your service application will always create new users without any notification since Windows service is always running in the background and doesn't have any UI. Therefore in the application maintainability side, it's also not recommended. Not to mention debugging Windows service is quite hard for many of us.
Create a custom action within your MSI to run the "sc.exe" command (which is installed on WinXP and newer systems). If you are concerned that sc.exe might not be on the system, then include it in your MSI, in either the binary table, or installed with the product.
After your MSI creates the service, have the custom action run the following (modify for your own user/pass):
sc config the_service_name obj= thedomain\johndoe password= stackoverflow
However, please note that storing the password directly in the MSI in clear text is an EXTREMELY bad idea.
An easy (and basic) solution is to use the free tool CPAU to encrypt the entire sc command above. You would encrypt this command (using CPAU) from your own system, and then pass this encoded string to CPAU (which you would need to include within your MSI, or install on the system --- in your custom action). CPAU will decode the string you pass in, which will decode to the sc command above, and will more securely set username and password on the service.
The simple answer is to use the net user /add (/domain) , however it is possible to automate not only the addition of the user, but also his/her addition to groups and the creation of a template user account directory structure. Many organizations have a basic structure with word, excel directories and some template files. This can be automated with a basic script. For example
REM addnew.bat
net user %1 password /add /homedir:\\<server>\users\%1 /scriptpath:login.bat /domain
net localgroup "<local group>" %1 /add
REM repeat for local groups
net group "<groups>" %1 /add /domain
REM repeat for global groups
xcopy \\<server>\users\template \\<server>\users\%1 /e
nltest /sync /server:BDCname
REM repeat for all BDCs you might be authenticating to
sleep 20
cacls \\<server>\users\%1 /e /r Everyone
REM remove the everyone permission to the directory
cacls \\<server>\users\%1 /g %1:F /e
cacls \\<server>\users\%1 /g Administrators:F /e