Does Jenkins windows service need admin rights?

Question

For security reasons we thought it would be better if the Jenkins windows service would run as user without admin rights. However, this leads to an error on Jenkins server startup:

java.io.IOException: Access is denied   at             
java.io.WinNTFileSystem.createFileExclusively(Native Method)    at     
java.io.File.createTempFile(Unknown Source)     at
hudson.util.AtomicFileWriter.<init>(AtomicFileWriter.java:142) 

Caused: 
    java.io.IOException: Failed to create a temporary file in C:\Program Files (x86)\Jenkins

The user (Windows 7, Active Directory user) has all rights on the Jenkins folder (excluding 'Special rights', which cannot be chosen).

Is it possible/reasonable to run the Jenkins windows service (server as well as slaves on other computers) as non-admin user?

Answer 1

It appears that allowing the Jenkins service account access to "C:\Program Files\Jenkins" and SeServiceLogonRight are sufficient.

Answer 2

I would suggest installing Jenkins in a secondary partition, like G:\Jenkins.

Even if you don't have a secondary partition C:\Jenkins is better than C:\Program Files\Jenkins or C:\Program Files(x86)\Jenkins to avoid the operating system unnecessarily getting in the way.

With that in place I always set the Jenkins service to run as a user (preferable a service account with a non-expiring password) that is a member of the Administrators group on the box.

Doing this usually avoids many of the unnecessary annoying permissions issues that only get in the way and slow your progress.

It should be noted that when it comes to Windows Batch Steps Jenkins will not Run As Administrator (at least it hasn't in the years since 2007 I have been using Jenkins).