Can we use credentials of service account without interactive logon rights in Orchestrator for unattended automation?

I have executed process in unattended mode by providing credentials of normal users in the Orchestrator but my current situation is that the client would not provide a user account with interactive logon rights for the robot. So I would like to know if we can use credentials of service account with admin privilege but without interactive login rights for running the process in unattended mode. I believe an interactive session / RDP session is created when an unattended process is executed at scheduled time so can achieve this by providing the credential of a service account without interactive logon rights.

Thanks.

1 Like

Please please can anyone clarify. I need to inform the team about feasibility of using a service account without interactive login for unattended robot .
@ovi, @loginerror, @Pablito

Many Thanks.

Hi @BejoyEdison,
It all depends on the process you’ve made. If you want to have fully unattended process which doesn’t interrupt any of active user session then robot which handles this process needs to have it’s own AD account in domain and each computer on which process will start needs to have RDP configured to allow more that one simultaneous logon.

But as I wrote it depends. For example if process require to log into specific system or program using user credentials then most probably user who is actually logged in to this program will be signed off from it.

Hi @Pablito, Thank you very much for the response.
What i understand from your answer is that i would definitely need a normal domain account for performing fully unattended task as the process gets executed by creating a RDP interactive session.

But just to ensure my question is clear - .
I am aware that for running a fully automated process the robot that needs to handle the process needs to have seperate user account . But I want to know if we can use a ‘service account without interactive logon rights’ for the robot instead of normal domain account to execute process in fully unattended way.
My process need to run in a particular server fully unattended, so process require to login to the server with the credential we provide while registering unattended robot in the orchestrator. Does providing the credentials of ‘service account without interactive logon rights’ work for this process ?

Thanks

This is a very good question.
I think this documentation will tell you more:

But to give you 100% sure let me call @radutzp.

1 Like

This question is more of a Windows security thing than uipath, the robot will sure need permission to logon through a remote desktop session, and afaik it does take that permission, but ofc if it is local admin, it will also work.

I don’t know exactly how Windows works around user permissions and so on, but I can tell you what UiPath Robots need in terms of users for it to work:

  • There is a Robot Service that runs under the Local System account. This is a Windows Service that communicates with the Orchestrator and creates the Windows sessions whenever an unattended job needs to be started.
  • There is the user set up in Orchestrator for that specific Robot. Whenever you start a job, it has a Robot on which it runs. That means the Robot Service (Local System Account) creates a Windows Session using the credentials set up in Orhcestrator and then starts the Windows process that executes the UiPath process.

That’s kind of it.
Bonus: starting with 2019.10 (2019LTS) we introduced the concept of Background Processes. Whenever a Background Process is started on an Unattended Robot, the Robot Service creates a Windows Process as the Robot User in Session 0 in order to execute the UiPath process. So, no other Windows Session is created

2 Likes

Thank you @Pablito and @radutzp for making it clear.

So the final understanding is for executing an unattended process UiPath needs to create an interactive session either as console session or as a RDP session. So as the service account without interactive logon rights could not be used for interactive sessions it is pretty clear that we cannot use it for unattended process execution. My process needs to interact with web application interface so cannot be made as background process.

My IT team is concerned about the security constraint of providing user account with interactive logon rights for the robot. Now I will have to confirm them that I will not be able to run UiPath bot with that account.

1 Like

I’m trying to trigger process via postman api. UiPath Assistant is installed on virtual machine. I’m getting this error → Robots without credentials cannot run processes that require an interactive session.

Can anyone have idea, whats wrong with this?
@radutzp @BejoyEdison @Pablito @bcorrea

I don’t think you got a confirmation on this; I am also facing this problem as interactive login.
MFA is designed in part to prevent an attacker from being able to impersonate a user via code, this poses challenge for UiPath bots as they are programs designed to automate a business process and mimic human behavior. How would you distinguish a bot from a malicious user ?