Allowing a Non-Admin User to Start the EkranServer Service (and Configuring the Permissions for the User)
NOT AVAILABLE IN SAAS
To allow a non-admin user to start the EkranServer service, including configuring the required permissions for this user, do the following:
1. Log in as an administrator.
2. Press the Windows + R keys, and then enter "secpol.msc" in the Run window, and click OK.
3. The Local Security Policy window then opens.
4. Navigate to Local Computer Policy\Windows Settings\Security Settings in the console tree.
5. Expand the Local Policies node, and click on User Rights Assignment.
6. Add the required user account name for the EkranServer service to the following policies, and click OK:
• Act as part of the operating system
• Impersonate a client after authentication
• Log on as a service
• Replace a process level token
NOTE: Any changes made to the user permissions of a account only take effect the next time the owner of the account logs in.
7. To allow the non-admin user to perform specific actions, grant them the following permissions:
• Writing events to the log files (write permission):
- Navigate to the directory: C:\Program Files\Ekran System\Ekran System\ServerLogs
- Grant the non-admin user write permission for this directory.
• Using certificate-based encryption (write permission):
- Navigate to the directory: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
- Grant the non-admin user write permission for this directory.
• Writing events to the Event Log (write permission):
- Open the Registry Editor (by pressing the Windows + R keys, then type "regedit", and press Enter).
- Navigate to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Ekran System
- Grant the non-admin user write permission for this registry key.
• Writing to the registry (write permission):
- Open the Registry Editor.
- Navigate to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem
- Grant the non-admin user write permission for this registry key.
• Reading and writing to the registry (read and write permissions):
- Open the Registry Editor.
- Navigate to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY
- Grant the non-admin user both read and write permissions for this registry key.
NOTE: After updating to Ekran System version 6.53.1 or higher, the Application Server can no longer be configured in the registry, which is now done instead by way of the "EkranServer.Settings.config" file (located in: C:\Program Files\Ekran System\Ekran System\Server). Therefore, after updating to version 6.53.1 or higher, all settings previously configured in the registry remain the same, but are now instead stored in the .config file (e.g. <add key="<name_of_key>" value="<value_of_key>" />), and can only be modified in this file. For this reason, all instructions above concerning configuration of the Application Server in the registry, no longer apply to the registry, but instead apply to the .config file.
If, after following the steps above, the access issues are not resolved for the non-admin user, the Process Monitor (Procmon) application can be used to check for any denied access, by doing the following:
1. Open the Process Monitor application.
2. Open the Process Monitor Filter (e.g. by clicking on the Filter icon on the toolbar in the top left), and then specify the conditions "Process Name is EkranServer.exe", and click the Include > Add > OK buttons.
3. Click the Clear button on the toolbar to clear the events.
4. Open the EkranServer service properties, and select Take No Action.
5. Restart the EkranServer service.
6. In Process Monitor, exclude all results except those with Access Denied, by right-clicking on a result and selecting Exclude in the context menu.
7. Grant the required permissions for each directory/key in the registry.