Topic:
This article covers how to get SES Services SDConnex and ADSync to run without having to give the SES Service Account (under which they run) elevated rights, avoiding the need to add the account to the Administrator or Local Admin groups on the server.
Problem: SDConnex will not start. Message "Access to the registry key 'Global' is denied" appears
Consideration:
Without either logging on and running the SES Services (SDConnex and ADSync) as an Admin level acount, or elevating the Service Account under which these run, the above message can appear, and SDConnex will not start. The details of this message appear in the SDConnex event log.
Example Error Message
Service cannot be started. System.UnauthorizedAccessException: Access to the registry key 'Global' is denied.
at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str)
at Microsoft.Win32.RegistryKey.InternalGetValue(String name, Object defaultValue, Boolean doNotExpand, Boolean checkSecurity)
at Microsoft.Win32.RegistryKey.GetValue(String name)
at System.Diagnostics.PerformanceMonitor.GetData(String item)
at System.Diagnostics.PerformanceCounterLib.GetPerformanceData(String item)
at System.Diagnostics.PerformanceCounterLib.get_CategoryTable()
at System.Diagnostics.PerformanceCounterLib.CounterExists(String category, String counter, Boolean& categoryExists)
at System.Diagnostics.PerformanceCounterLib.CounterExists(String machine, String category, String counter)
at System.Diagnostics.PerformanceCounter.Initialize()
at System.Diagnostics.PerformanceCounter..ctor(String categoryName, String counterName, String instanceName, Boolean readOnly)
at WinMagic.SecureDoc.Base.Alert.Perfo...
Concern:
Adding the user account(s) that runs the SDConnex and ADSync services to the Local Administrators group does allow the service to start, but many customers are not comfortable with having the service run with such elevated rights.
Product version affected:
All SES versions
Environment (OS/hardware/software):
Please refer to WinMagic website for system requirements with regards to the SecureDoc Enterprise Server
http://www.winmagic.com/support/technical-specifications
Steps to follow:
Add full control rights for the Service Account under which these services run on the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\SDConnex Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinMagic.SecureDoc.SDConnex
To do this:
1 - Get into the registry editor on the SES Server, using the regedit command
2 - Find each of the the registry nodes above within the registry, and then perform the following steps 3-6 on each
3 - Right-Click on each of the node and select the "Permissions" option from the context menu
4 - Find and then add the Service Account user
5 - Define that this user should have Full Control rights by checking the appropriate checkbox
6 - Save your changes.
Once complete, try restarting each of these services. |