oneflame

BTSync Windows Service Account - Bug & Work Around

Recommended Posts

Applies to:

BTSync v.2.3.3 (296)

Windows 7, 8/8.1, Windows 10 -- Home and Professional.

BTSync prompts to install as a service -- but doesn't follow Windows service account conventions as other programs do, (IIS, MySQL, SQL Server, etc).

Issues:

  1. Software Defect: Some installations, (like BitTorrent Sync), will not install the Windows Service -- unless a regular user account is specified.  
  2. Expected Behavior: Should automatically provide the correct NT Service account identity, or at least allow the user too.
  3. Security Issue: The user is forced to create another regular user account, [which as a best practice, should never be done].  
  4. Workaround: After the Appropriate Service Account is specified, this temporary user account should be deleted.

References

  1. Windows does not use "Service Accounts" -- in the Linux sense, but rather "Virtual Accounts" and "Managed Service Accounts, (for machines participating in an LDAP environment.
  2. Service Account Naming Convention: By Naming Convention, it appears that the virtual accounts should follow the form, "Command Name" - [Extension] + "svc"

    "btsync.exe" becomes "NT Service\btsyncsvc"

Creating the Virtual "NT Service" Account:

  1. Open up the Local Services snap-in, "services.msc"
  2. Navigate to the desired service, (btsync), right-click "Properties".
  3. Select the "Log On" tab.
  4. Select the option to specify a user.
  5. Enter the "Conventional" service name, described above: (without quotes).

    NT Service\btsyncsvc

  6. REMOVE the passwords.

  7. Save - Apply
  8. Restart the Service.

Setting Folder Permissions:

Set folder permissions -- using the full account name: "NT Service\btsyncsvc", (using quotes may or may not be required depending on the context ...) ...

It is not necessary for the btsyncsvc to have execute permissions, so remove if you like -- otherwise, full control.

Error - Service Fails to Start due to "No Mapping Between Account Names and Security IDs":

For example, this error will occur if you specify, "NT Service\btsync" rather than "NT Service\btsyncsvc" ...

The following command will return the list of current service account names.

Using PowerShell, (PS), Verify the list against the one you have specified to use for "Log On":

PS > get-service | foreach {Write-Host NT Service\$($_.Name)}

Error - Service Fails to Start because the Account has not been Granted Log On as a Service Permissions:

This error can occur if you have specified the incorrect "Conventional Name", or if the permissions really are missing -- though will be automatically assigned if the correct convention is used.

In Windows 10 Home, the User will not be able to use the local security policy snap-in to configure this, (secpol.msc) -- and must be done manually, through PowerShell, or other utility.

PowerShell Scripts:

To fix this, it is possible to use PowerShell. "Grant-Log-on-as-a-service PowerShell Script, from Technet Gallery":

If PowerShell reports an "ExecutionPolicy Error", it may be necessary to change the ExecutionPolicy:

PS > Set-ExecutionPolicy RemoteSigned

... May Result in a signing error -- And then changed to:

PS > Set-ExecutionPolicy Unrestricted

And then use the Script to assign the permission:

PS > .".\Add Account To LogonAsService.ps1" "NT Service\btsyncsvc"

Reset the ExecutionPolicy if desired:

PS > Set-ExecutionPolicy Restricted

Hope this Helps!

 

Edited by oneflame
Clarified Topic, Tags, and fixed type-os.

Share this post


Link to post
Share on other sites

A very good post. I've also requested a proper selection of serviceaccounts during install. Feels like quite a hasty implementation. As it behaves and responds to standardized servicecalls (put aside conventional setup and naming)  I didn't called it a bug, but you might be right. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.