How to run attended HD robot(s) service as a domain user instead of Local System?
DISCLAIMER: This will only work for attended robots. Trying to run an unattended robot in this configuration will make the robot unable to create or attach on any user session.
Right now, the robot is running under the Local System account. If the user wants to have the packages/dependencies download location on a share location, running the job will no longer be possible because the XAML and the nupkg files will be secured for local system account (the one from the share) and for domain administrators.
The solution is to run the robot service as a domain user that has granted 2 additional rights in the Local Security Policy:
Adjust memory quotas for a process and Replace a process level token
These two will grant the robot service that is running under a user permission to start the robot executor that will be running under another user.
Steps to set-up the environment:
- First, we need to create a domain user that we will use to run the process.
- On the (HD) machine where the robot is installed, open services.msc and go to UiPath Robot entry:
3. Right click – Properties and then the Log On Tab:
4. Select “This account” radio button and then add the domain user that we created at step 1:
5. Press Apply and press Yes on the dialog that informs that the log-on rights were given to the user.
6. Open Local Security Policies and go to Local Policies > User Right Assignments and add the domain user in the following security settings:
Adjust memory quotas for a process
Replace a process level token
7. Go to the share folder and give FULL permission to the robot user. Give Change and Read permissions to the other “regular” users that will represent the attended robots:
Also, in the Security tab, give the following permission to the robot user and to the other attended robot users:
-Read & execute
-List folder contents
8. Go to the Robot installation folder and open uipath.config. Add the shared folder location in the tab like so:
9. Restart the Robot service and try to run a job.
WARNING: Add a folder structure that will differentiate users between themselves. We recommend to use the following folder structure for each user: “%userdomain%.%username%”. In this way, any synchronization issues is mitigate between HD users that might occur until a version that support this type of behavior is released. Alternatively, add this at MSI installation time via command line.
If everything is ok, the robot should be able to download and run a process to a network shared drive.
In 19.4.4 version:
It’s now possible to disable security for
XAML files when install or update the Robot using the
UiPathStudio.msi installer. With security disabled, users are able to read and modify process files and logic. This is useful for executing processes in virtualized environments, such as Citrix Apps and Desktops or over RDP connections.
Also, check the next page where details about the following parameter can be found:
DISABLE_SECURE_XAML - Allow to disable security of XAML files for Robots installed as a Windows service. Unsecured XAML files allow users to read and modify the process files and logic.
It supports the following options:
0 - The default option. When used, it enables security for XAML files for Windows service Robots.
1 - Disables security for XAML files for Windows service Robots.
Note: This parameter can only be used during a clean install or upgrade.