VERIFIED SOLUTION i

How to set up the Portrait Foundation Services to run under a non-administrative domain account

Product Feature: Installation
 
DESCRIPTION
This article describes how to set up the Portrait Services to run under a non-administrative domain account. This is sometimes required when there is a need to reduce the permission level under which the services run.
SUMMARY
The following steps need to be taken:
1) Set user permissions for the registry,
2) Set user permissions on the file system,
3) Set the DCOM permissions,
4) Set the permissions on the Service Manager,
5) Set the permissions on the Portrait Services.

DETAIL
1.     Open the registry ( regedit.exe ) and navigate to the HKLM\SOFTWARE\PST node [ HKLM\SOFTWARE\Wow6432Node\PST on an x64 machine ]. Right-click the node and select Permissions... from the pop-up menu. Add the service account and give it 'Full Control' of this registry node. Repeat for any other implementation specific nodes in the registry.
2.     Open Windows Explorer and navigate to each of the areas of the file system that are used by Portrait. For each folder, right-click and choose Properties then switch to the Security tab. Add the service account and give it ‘Full control’ of the folder.
The folders to do will include:

·          C:\Program Files\PST [or C:\Program Files (x86)\PST on an x64 machine ]
·          C:\Portrait Implementation (if applicable)
·          C:\PerfLogs\Admin (or other PerfMon location)
·          Any other implementation-specific folders, etc.
3.     Open the DCOM configuration tool ( dcomcnfg.exe ), navigate to My Computer and then DCOM Config and find the four services which will be prefixed with the Portrait System name (by default = MyPortrait). Right click and open the properties dialog and select the Security tab. For the 'Launch and Activation Permissions' and 'Access Permissions' sections, change the radio button to Customize and then click the Edit... button. Add the service account and give it "Local Launch & Local Activation" and "Local Access" permissions respectively. Repeat for all four services.
4.     The Service Manager ( SCManager ) needs to be altered so that your service account has full control over it. See below for details.
5.     The four Portrait Services need to be updated in order to allow the non-administrative service account to be able to start it, stop it, and generally control it. See below for details.
Workaround for steps (4) and (5)
These steps are quite tricky and should only be undertaken by someone who is familiar with control and permissions of services within Windows.
The first step is to download a Microsoft tool called SubInAcl.exe. This is freely available from the Microsoft download site. The tool significantly simplifies step (5).
In the same folder as the above SubInAcl.exe, create a batch file containing the following text:
@echo off
rem   ***********************************************************************
rem   This batch file will allow a domain account that is not a member of the
rem   machine's administrator group to be used to run the Portrait Services.
rem   ***********************************************************************
 
set /P sysname="What is the name of your Portrait system (e.g. MyPortrait)? "
set /P domain="What is the domain of the Portrait Service account that you want to have permissions? "
set /P user="What is the username of the Portrait Service account that you want to have permissions? "
 
rem   Set the access for SCManager first. We require SC_MANAGER_ALL_ACCESS for this account...
rem   The following will give full access to SCManager to all Authenticated Users.
sc.exe sdset SCManager D:(A;;KA;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
 
rem   Now give the account full permissions on the four Portrait Services...
FOR %%A IN (Controller ClientEvents ServiceHostPrimary ServiceHostAlternate) DO SubInAcl /outputlog=%%A_Permissions_Change.txt /service %sysname%%%A /grant=%domain%\%user%=F
pause
Save the file in the same folder with the name ApplyServicesPerms.bat.
Running the file from an elevated command prompt will ask you to supply the Portrait system name and the domain and username of the service account. It will then apply the above steps (4) and (5) for you.
Undoing steps (4) and (5)
If you wish to undo steps (4) and (5) that have been applied using the above script, you can copy the following script and run this one. Permissions will be returned to their values from before the above script was run.
@echo off
rem   ***********************************************************************
rem   This batch file will allow a domain account that is not a member of the
rem   machine's administrator group to be used to run the Portrait Services.
rem   ***********************************************************************
 
set /P sysname="What is the name of your Portrait system (e.g. MyPortrait)? "
set /P domain="What is the domain of the Portrait Service account where you want to revoke permissions? "
set /P user="What is the username of the Portrait Service account where you want to revoke permissions? "
 
rem   Revoke the account's full permissions on the four Portrait Services
FOR %%A IN (Controller ClientEvents ServiceHostPrimary ServiceHostAlternate) DO SubInAcl /outputlog=%%A_Permissions_Revoke.txt /service %sysname%%%A /revoke=%domain%\%user%
 
rem   Reset the Authenticated User access for SCManager to Connect only.
sc.exe sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
pause

Save the file in the same folder with the name RevokeServicesPerms.bat. Run the file from an elevated command prompt and supply the same details as above.
WEB TIER
The above code is correct for both a single-box environment and also for the process server tier of a split-box environment. For the web tier of a split-box environment, please swap the relevant line for the following:
FOR %%A IN (Controller ClientEvents WebServicePrimary WebServiceAlternate) DO SubInAcl /outputlog=%%A_Permissions_Change.txt /service %sysname%%%A /grant=%domain%\%user%=F
 
UPDATED:  April 12, 2017