-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Jenkins 2.60.3 on Windows Server 2012R2, Java jdk/jre 1.8.0_111
Hi,
We're running Jenkins as a Windows service and we're trying to restrict the privileges of the technical account that runs this service but I can't seem to find a complete documentation related to doing this. So far this is what we know the account needs:
- Member of the Users group in the server
- Full control permissions on the jenkins config files
- Full control permissions on the jenkins workspace folders
- Right to "Log on as a service" in the Local Security Policy
With this configuration we're running into an issue when trying to restart Jenkins using the web interface (either through http(s)://theserver/restart or http(s)://theserver/saferestart) because Jenkins gets stuck on the screen "Please wait while Jenkins is restarting Your browser will reload automatically when Jenkins is ready." and the service never shows as stopped so we have to manually go to the server's Services and stop/start or restart the Jenkins Windows service in order to get Jenkins ready again.
When I change back the account to be an admin, Jenkins restarts normally after a minute of the "please wait" messages. Testing has shown us Jenkins has no problems in starting with the restricted privileges it has been given, but it runs into trouble just trying to stop itself successfully during the web restart, also there aren't any error messages in the application logs or Jenkins error logs that could signal any issue.
I've been searching online for a similar issue but most of what I've found are issues related to not being able to start Jenkins at all because of configuration issues/bugs, or suggestions to assign the privileges I've already assigned to that account. I also created some forum posts about this issue but haven't gotten any other advices yet.
Is there any other user right we might be missing in the "local security policy" for the account that runs Jenkins as a service to be able to restart Jenkins from the web interface successfully and/or a more comprehensive guide on the specific privileges needed?
Thanks in advance