OneDrive hates admin rights
A customer looking to run OneDrive as a Windows Service with AlwaysUp recently contacted our support team for help. Even though he had diligently followed our step-by-step tutorial, his files were not being synchronized as intended. OneDrive refused to refused to work as a service!
After confirming that his files were not being copied, our support team launched OneDrive “in this session” — to see the normal tray icon and check if an error was being reported. We were greeted by this puzzling error message:
So it seems that OneDrive doesn’t like to be run with admin rights. And the customer’s account was a member of the Administrators group — which is recommended for smooth operation as a Windows Service with AlwaysUp.
UAC enables an administrator to run OneDrive normally
But why does OneDrive work at all in the customer’s admin account? Why doesn’t the software complain when he starts OneDrive normally on his desktop?
The answer lies with Microsoft’s User Account Control (UAC) security feature. By default, applications started interactively are run with lower, non-admin privileges. This happens for all accounts — even for administrators. OneDrive seems to require that lower privilege context to do its work. Indeed, in this OneDrive desktop FAQ, Microsoft confirms that UAC is what enables OneDrive to be started by an administrator. If we removed UAC from the equation (by by right-clicking on OneDrive.exe and selecting “Run as administrator”) we were able to reproduce the error straightaway.
But while UAC restricts rights for the desktop user, UAC is not in play when running in the context of a windows service. Services are always run with the highest privileges. We must find a way for our customer to start OneDrive with reduced rights to avoid the error.
How to launch OneDrive with reduced rights from AlwaysUp
Our new Run with Restricted Rights command-line utility comes to the rescue. Here are the steps we performed to get the customer up and running:
Download RunWithRestrictedRights.exe (it’s free).
Save it to a new folder on your hard drive. We suggest C:\Tools.
Double-click your OneDrive service to edit it.
In the Application field, enter the full path to RunWithRestrictedRights.exe.
In the Arguments field, enter the full path to your OneDrive executable, enclosed in quotes. It should look something like this:
where [USER-NAME] is the name of your Windows account.
Save your settings.
With this new setup, AlwaysUp will start RunWithRestrictedRights.exe, which will launch OneDrive with diminished permissions. You should not see the “full administrator rights” error anymore.
Note that we plan to add the capability to run an application with diminished rights directly from AlwaysUp. That feature will probably included in AlwaysUp version 10.3, which should released to all customers in September/October.
With AlwaysUp version 10.5, you can now run OneDrive without admin rights directly — without having to use RunWithRestrictedRights.exe “in the middle”.
Simply check the option on the Logon tab in AlwaysUp: