TFS Integration Build Powershell With Elevated Privileges

1
votes

I am setting up an integration tests build where I am just trying to start up a windows service.

I have used the InvokeProcess command to run the powershell scripts which just does the following

Start-Service ServiceName

The script fails when I run the build process but when I executed the same script outside TFS it works. I get the following error in TFS logs

Start-Service : Service 'ServiceName (ServiceName)' cannot be started due to the following error: Cannot open ServiceName service on computer '.'.

Then I tried changing the way I am starting the service and used SC.exe with parameters "Start ServiceName" in the InvokeProcess and I get Access Denied error in TFS as follows:-

SC start ServiceName. [SC] StartService: OpenService FAILED 5: Access is denied.

I am using Network Service account to run the build.

After searching a while, I have come to the conclusion that I have to run the InvokeProcess with elevated privileges but I don't know how would I do that with in TFS.

Any help is much appreciated.

2
powershelltfs
What version of TFS? Where did you ass the InvokeProcess command? - chief7
TFS 2013. I am adding the InvokeProcess Command after the compilation and unit test run. The files have been deployed to the server after which I try to run the windows service. Note that I am not creating the Windows service it is always there. - tangokhi
I also tried to log the user executing the powershell script using the following:- Write-Output "UserName " ([Environment]::UserName) Write-Output "User Domain Name " ([Environment]::UserDomainName) It prints the user name as MACHINENAME$ and user domain name as AD domain rather than local or '.'. I have given access to the LocalMachine/Network Service account on the folder where the service.exe is present. I don't know where DomainName/MachineName$ and ./Network Service are same account or different. - tangokhi
So you are editing the build template? - chief7
Yes I have customized the default build template - tangokhi

2 Answers

2
votes

We run our build agent as a custom service account and give that domain account admin access on the servers we deploy to.

0
votes

I have resolved the issue by adding Network Service account to the administrator group. I might not go with this solution as it seems wrong to assign administrative rights to Network Service account but I don't know how to assign Service Start/Stop permissions to Network Service without adding this account to Administrator group.

In short, I agree with the answer that a custom service account must be used to run the build with appropriate privileges.