Geek Answers Handbook

Sharepoint: running stsadm from a timer job + SHAREPOINT \ System rights

I have an unusual situation when I need a SharePoint timer job to have access rights to local administrators and have SHAREPOINT\System SharePoint privileges.

I can obtain Windows privileges by simply setting up the timer service to use an account that is a member of local administrators. I understand that this is not a very good solution, as it gives the SharePoint timer more rights than anticipated. But this, at least, allows my SharePoint timer job to run stsadm .

Another problem with starting the timer service under the local administrator is that this user does not necessarily have the SHAREPOINT\System SharePoint privileges, which I also need for this SharePoint job. It turns out that SPSecurity.RunWithElevatedPrivileges will not work in this case. The reflector shows that RunWithElevatedPrivileges checks if the current process is owstimer (a service process that runs SharePoint jobs) and does not perform elevations in this case (the rational here, I think, is that the timer service should start under NT AUTHORITY\NetworkService Windows account that has SHAREPOINT\System SharePoint privileges, and therefore there is no need to SHAREPOINT\System privileges to set a timer).

The only possible solution seems to be to start the timer service under your regular Windows NetworkService account and run stsadm as a local administrator, store the administrator credentials somewhere and pass them to System.Diagnostics.Process.Run () crough StarInfo name, domain and password.

Everything seems to work now, but here's another problem I'm stuck with right now. Stsamd does not work with the following error popup (!) (Winternals filemon shows that stsadm is running as an administrator in this case):

The application failed to initialize properly (0x0c0000142).
Click OK to terminate the application.

Event Viewer does not register anything but a popup.

The local administrator is my account, and when I just run stsadm interactively under this account, everything is fine. It also works great when I configure the timer service to run in this account.

Any suggestions are welcome :)

+6
timer sharepoint privileges event-viewer
source share
3 answers

I do not work, so it’s not in my head, but: If you get a link to the site, can you try to create a new SPSite using SYSTEM-UserToken?

 SPUserToken sut = thisSite.RootWeb.AllUsers["SHAREPOINT\SYSTEM"].UserToken; using (SPSite syssite = new SPSite(thisSite.Url,sut) { // Do what you have to do }
+1
source share

Other applications, if they are executed in this way (that is, from a timer job with explicit credentials), fail in the same way as "The application failed to initialize the application." I just worte a simple application that takes the path to another executable file and its arguments as parameters, and the same thing happens when starting from this timer job.

 internal class ExternalProcess { public static void run(String executablePath, String workingDirectory, String programArguments, String domain, String userName, String password, out Int32 exitCode, out String output) { Process process = new Process(); process.StartInfo.UseShellExecute = false; process.StartInfo.RedirectStandardError = true; process.StartInfo.RedirectStandardOutput = true; StringBuilder outputString = new StringBuilder(); Object synchObj = new object(); DataReceivedEventHandler outputAppender = delegate(Object sender, DataReceivedEventArgs args) { lock (synchObj) { outputString.AppendLine(args.Data); } }; process.OutputDataReceived += outputAppender; process.ErrorDataReceived += outputAppender; process.StartInfo.FileName = @"C:\AppRunner.exe"; process.StartInfo.WorkingDirectory = workingDirectory; process.StartInfo.Arguments = @"""" + executablePath + @""" " + programArguments; process.StartInfo.UserName = userName; process.StartInfo.Domain = domain; SecureString passwordString = new SecureString(); foreach (Char c in password) { passwordString.AppendChar(c); } process.StartInfo.Password = passwordString; process.Start(); process.BeginOutputReadLine(); process.BeginErrorReadLine(); process.WaitForExit(); exitCode = process.ExitCode; output = outputString.ToString(); } }

AppRunner basically does the same thing as the above snippet, but without username and password

0
source share

SharePoint Timer tasks run with the SharePoint administrator credentials as the information goes to the SharePoint Config database. Thus, the application pool will not have access.

To test the timer job in the dev environment, we can temporarily change the application pool account to the application pool account used for Central Administration.

0
source share

More articles:


All Articles