Insufficient privileges while logged in on domain on local admin account ?
Posted by Party-Praline-4547@reddit | sysadmin | View on Reddit | 14 comments
I’m installing the PillCam Genius Sync Agent on a Windows machine and running into a permissions issue during install.
Environment / details:
Logged in locally using a LAPS local administrator password
Installer runs fine until it tries to create the Windows service
The installer prompts for a service account, which I entered as DOMAIN\svc_pillcam
At that point, the install fails with this error:
Service ‘PatchAgentService’ (PillCamSyncAgent.WinService.exe) could not be installed. Verify that you have sufficient privileges to install system services.
What’s confusing me:
I am logged in as local admin (via LAPS), so the installer launches fine
The failure seems to happen specifically when Windows tries to install the service
I’m not sure if the service account (svc_pillcam) needs additional privileges beyond just being provided during install
Questions:
Is this error typically caused by the service account lacking permissions rather than the logged-in admin?
Does the service account need:
Local Administrator?
“Log on as a service”?
Should the service account be entered explicitly as DOMAIN\svc_pillcam vs just the username?
I don’t want to click Ignore and end up with a broken service.
Any guidance would be appreciated.
Party-Praline-4547@reddit (OP)
Even if I click ignore it refuses to proceed now I am thinking maybe switch from domain to local temporarily and try to install it that way but worried if I will lock out the whole computer when I unjoin from domain. The laps .\uwswer Password is only temporary and expires in 5 days.
Party-Praline-4547@reddit (OP)
So frustrating
FarmboyJustice@reddit
LAPS gives you a local machine account, it's not going to have the required permissions to talk to the domain.
If you're trying to use a domain service account that's going to cause this. If you want to run the service as a service without domain permissions you'd need to use a local machine service account.
Party-Praline-4547@reddit (OP)
Our laps provided is a local admin account I mean we have to request it and has a expiration. Normally with this password and login we can install 99.9% of required applications or programs without any issues. This is first time I am even encountering such issues and no real answer to this. I even got enterprise team involved and they confused as hell too.
sryan2k1@reddit
While all of that is true that's not why they're getting that error. The installer is likely trying to switch into the context of the user they provided and since the domain account isn't a local admin it fails.
FarmboyJustice@reddit
That's pretty much what I said, I just didn't try to be specific about exactly what the unknown installer might be doing.
sryan2k1@reddit
It has nothing to do with LAPS or that account "Talking to the domain"
sryan2k1@reddit
It's likely trying to install the service as the account you are giving it. You'll likely need to add that account to the local admin at least for it to install.
Party-Praline-4547@reddit (OP)
I did add it under groups, administrator and regedit login as a service and still refuses to want to proceed.
HerfDog58@reddit
Is the installer prompting for a SERVICE account, or a Local administrator account for authentication? Guessing it's the latter, and the Service account you're using isn't set as a local admin on the workstation.
Party-Praline-4547@reddit (OP)
It's prompting a service account that has read and write permissions to a shared folder which it does have. I am not understanding why this stupid installer doesn't work. Even I put the service account as group admin and In regedit as login as a service it still throws that error. I even logged into Windows with this service account and run the installer as a admin and still gives that error. I am not understanding why that syncagent.winservice.exe doesn't push thru and saying this permissions nonsense.
Mehere_64@reddit
service account doesn't need to be a local admin to my knowledge. Needs to be added to log on as a service in local security policy. But I want to say a lot of times there is a prompt for that to come up asking if one wants to do just that.
sryan2k1@reddit
My guess is at the installer is trying to switch / run as the account that it's being given to install the service and since that service isn't a local admin it's failing
OmagaIII@reddit
https://www.medtronic.com/content/dam/medtronic-wide/public/united-states/products/digestive-gastrointestinal/capsule-endoscopy/pillcam-genius-sb-software-requirements-info-sheet.pdf