TFS Integration Build Powershell With Elevated Privileges

Question

I am setting up an integration tests build where I am just trying to start up a windows service.

I have used the InvokeProcess command to run the powershell scripts which just does the following

Start-Service ServiceName

The script fails when I run the build process but when I executed the same script outside TFS it works. I get the following error in TFS logs

Start-Service : Service 'ServiceName (ServiceName)' cannot be started due to the following error: Cannot open ServiceName service on computer '.'.

Then I tried changing the way I am starting the service and used SC.exe with parameters "Start ServiceName" in the InvokeProcess and I get Access Denied error in TFS as follows:-

SC start ServiceName. [SC] StartService: OpenService FAILED 5: Access is denied.

I am using Network Service account to run the build.

After searching a while, I have come to the conclusion that I have to run the InvokeProcess with elevated privileges but I don't know how would I do that with in TFS.

Any help is much appreciated.

Answer 1

I have resolved the issue by adding Network Service account to the administrator group. I might not go with this solution as it seems wrong to assign administrative rights to Network Service account but I don't know how to assign Service Start/Stop permissions to Network Service without adding this account to Administrator group.

In short, I agree with the answer that a custom service account must be used to run the build with appropriate privileges.

Answer 2

We run our build agent as a custom service account and give that domain account admin access on the servers we deploy to.