oneflame Posted February 23, 2016 Report Share Posted February 23, 2016 (edited) Applies to: BTSync v.2.3.3 (296) Windows 7, 8/8.1, Windows 10 -- Home and Professional. BTSync prompts to install as a service -- but doesn't follow Windows service account conventions as other programs do, (IIS, MySQL, SQL Server, etc). Issues: Software Defect: Some installations, (like BitTorrent Sync), will not install the Windows Service -- unless a regular user account is specified. Expected Behavior: Should automatically provide the correct NT Service account identity, or at least allow the user too. Security Issue: The user is forced to create another regular user account, [which as a best practice, should never be done]. Workaround: After the Appropriate Service Account is specified, this temporary user account should be deleted. References Windows does not use "Service Accounts" -- in the Linux sense, but rather "Virtual Accounts" and "Managed Service Accounts, (for machines participating in an LDAP environment. Service Account Naming Convention: By Naming Convention, it appears that the virtual accounts should follow the form, "Command Name" - [Extension] + "svc" "btsync.exe" becomes "NT Service\btsyncsvc" Creating the Virtual "NT Service" Account: Open up the Local Services snap-in, "services.msc" Navigate to the desired service, (btsync), right-click "Properties". Select the "Log On" tab. Select the option to specify a user. Enter the "Conventional" service name, described above: (without quotes). NT Service\btsyncsvc REMOVE the passwords. Save - Apply Restart the Service. Setting Folder Permissions: Set folder permissions -- using the full account name: "NT Service\btsyncsvc", (using quotes may or may not be required depending on the context ...) ... It is not necessary for the btsyncsvc to have execute permissions, so remove if you like -- otherwise, full control. Error - Service Fails to Start due to "No Mapping Between Account Names and Security IDs": For example, this error will occur if you specify, "NT Service\btsync" rather than "NT Service\btsyncsvc" ... The following command will return the list of current service account names. Using PowerShell, (PS), Verify the list against the one you have specified to use for "Log On": PS > get-service | foreach {Write-Host NT Service\$($_.Name)} Error - Service Fails to Start because the Account has not been Granted Log On as a Service Permissions: This error can occur if you have specified the incorrect "Conventional Name", or if the permissions really are missing -- though will be automatically assigned if the correct convention is used. In Windows 10 Home, the User will not be able to use the local security policy snap-in to configure this, (secpol.msc) -- and must be done manually, through PowerShell, or other utility. PowerShell Scripts: To fix this, it is possible to use PowerShell. "Grant-Log-on-as-a-service PowerShell Script, from Technet Gallery": If PowerShell reports an "ExecutionPolicy Error", it may be necessary to change the ExecutionPolicy: PS > Set-ExecutionPolicy RemoteSigned ... May Result in a signing error -- And then changed to: PS > Set-ExecutionPolicy Unrestricted And then use the Script to assign the permission: PS > .".\Add Account To LogonAsService.ps1" "NT Service\btsyncsvc" Reset the ExecutionPolicy if desired: PS > Set-ExecutionPolicy Restricted Hope this Helps! Edited February 23, 2016 by oneflame Clarified Topic, Tags, and fixed type-os. Quote Link to comment Share on other sites More sharing options...
ivarson Posted February 23, 2016 Report Share Posted February 23, 2016 A very good post. I've also requested a proper selection of serviceaccounts during install. Feels like quite a hasty implementation. As it behaves and responds to standardized servicecalls (put aside conventional setup and naming) I didn't called it a bug, but you might be right. Quote Link to comment Share on other sites More sharing options...
Loris Chiocca Posted February 24, 2016 Report Share Posted February 24, 2016 Really good post indeed! I too think that using service accounts as a default would make this feature really complete. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.