Skip to main content
Skip table of contents

Allowing a Non-Admin User to Start the EkranServer Service (by Configuring the User Permissions)

NOT AVAILABLE IN SAAS


To allow a non-admin user to start the EkranServer service, by configuring the required permissions for this user, as follows:

1. Log in as an administrator.

2. Press the Windows + R keys, and enter "secpol.msc" in the Run window, and then click the OK button.

   

3. The Local Security Policy window then opens.

4. In the Security Settings folder, expand the Local Policies folder, and then click on the User Rights Assignment folder (see the screenshot below).

5. In the main (right-hand) pane displaying the Policy list, find each of the following 4 policies:

 Act as part of the operating system

 Impersonate a client after authentication

 Log on as a service

 Replace a process level token

6. For each of these 4 policies, do the following:

Right-click on the policy, and select Properties.

   

In the Properties pop-up window that opens, click the Add Users or Group button.

   

In the Select Users, Computers, Service Accounts, or Groups pop-up window that opens, in the Enter the object names to select field, search for the required user (i.e. the non-admin user that you want to allow to start the EkranServer service) by entering the username (or part of the username), and then click the Check Names button, add the required user, and click OK in all the pop-up windows.

   

NOTE: Any changes made to the user permissions of an account only take effect the next time the owner of the account logs in.

7. Press the Windows + R keys, and then enter "regedit" in the Run window, and click the OK button.

    

8. In Registry Editor that opens, allow the non-admin user to perform specific actions, by granting them the Full Control permission for the following 3 registry keys:

To write events to the EventLog:

Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Ekran System registry key, right-click on it, and select Permissions

   

- In the Permissions for Ekran System pop-up window that opens, click the Add button.

 

- In the Select Users, Computers, Service Accounts, or Groups pop-up window that opens, in the Enter the object names to select field, search for the required user (i.e. the non-admin user that you want to allow to start the EkranServer service) by entering the user name (or part of the user name), and then click the Check Names button, and add the required user, and then click the OK button to close this popup window.

   

- In the Permissions for Ekran System pop-up window, select the user that you added, and then select the checkbox to allow the Full Control permission for them, and click the OK button to close this popup window.

   

To write to the registry: Allow the non-admin user the Full Control permission for the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem registry key (in a similar way as above).

To read from and write to the registry: Allow the non-admin user the Full Control permission for the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY registry key (in a similar way as above).

9. Allow the non-admin user to perform specific actions, by granting them the Full control permission for the following 2 directories:

To write events to the ServerLogs:

- Navigate to the C:\Program Files\Ekran System\Ekran System\ServerLogs directory, then right-click on it, and select Properties.

   

- In the ServerLogs Properties pop-up window that opens, select the Security tab, and then click the Edit button.

   

- In the Permissions for ServerLogs pop-up window that opens, click the Add button.

   

- In the Select Users, Computers, Service Accounts, or Groups pop-up window that opens, in the Enter the object names to select field, search for the required user (i.e. the non-admin user that you want to allow to start the EkranServer service) by entering the user name (or part of the user name), and then click the Check Names button, add the required user, and then click the OK button to close this popup window.

   

- In the Permissions for ServerLogs pop-up window, select the user that you added, and then select the checkbox to allow the Full control permission for them, and then click the OK button in both pop-up windows to close them.

   

To use certificate-based encryption: Allow the non-admin user the Full control permission for the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory (in a similar way as above).


In case an error message is displayed while performing the final step above (i.e. when allowing the non-admin user the Full control permission for the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory), to resolve this issue, do the following:

1. Press the Windows + R keys, and then enter "mmc" in the Run window, and click the OK button.

    

2. In the Console1 - [Console Root] window that opens, select the File menu, and then select Add/Remove Snap-in.

    

3. In the Add or Remove Snap-ins window that opens, select Certificates, and then click the Add button.

    

4. In the Certificates snap-in window that opens, select Computer account, and then click the Next button.

    

5. In the Select Computer window that opens, make sure that Local computer is selected, and then click the Finish button.

    

6. In the Add or Remove Snap-ins window, click the OK button.

    

7. In the Console1 - [Console Root] window, double-click on Certificates (Local Computer) in the Name pane (in the middle).

    

8. Double-click on Personal in the Logical Store Name pane (in the middle).

    

9. Double-click on Certificates in the Object Type pane (in the middle).

    

10. Right-click on EkranMasterCertificate, and select All Tasks, and then select Manage Private Keys.

    

11. In the Permissions for EkranMasterCertificate private keys window that opens, click the Add button.

   

12. In the Select Users, Computers, Service Accounts, or Groups window that opens, enter the required user name (i.e. for the non-admin user that you want to allow to start the EkranServer service), or part of the user name, in the Enter the object name to select field.

   

13. Click the Check Names button (and if multiple user names are found, select the required user from the list in the window that opens), and then click the OK button.

   

14. In the Permissions for EkranMasterCertificate private keys window that opens, select the user that you added, and then select the checkbox to allow the Full control permission for them (and the Read permission will also be automatically applied), and then click the OK (or Apply) button to save the changes.

   


If, after following the steps above, the access issues are not resolved for the non-admin user, the Process Monitor (Procmon) application can be used to check for any denied access, by doing the following:

1. Open the Process Monitor application.

2. Open the Process Monitor Filter (e.g. by clicking on the Filter icon on the toolbar in the top left), and then specify the conditions "Process Name is EkranServer.exe", and click the Include > Add > OK buttons.

   

3. Click the Clear button on the toolbar to clear the events.

4. Open the EkranServer service properties, and select Take No Action.

   

5. Restart the EkranServer service.

6. In Process Monitor, exclude all results except those with Access Denied, by right-clicking on a result and selecting Exclude in the context menu.

   

7. Grant the required permissions for each directory / registry key.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.