sigh
We have an app that runs as a service as the SYSTEM on a 2K8R2 server but, the account used to run it needs to have a printer installed in its profile for certain functionality to work according to the vendor.
The vendor says that if it's not running as SYSTEM, then the account running the service needs to be a local admin to the machine. This seems kind of shitty to me to put it bluntly. I'd imagine that it's easy enough to install a printer as system by getting an interactive command prompt using the old at trick, but are there any other implications that anyone knows about if I were to install a printer as the SYSTEM account on 2008R2?
Best Answer
Note: After writing this answer, I realized I haven't exactly answered your original question. But assuming you take my advice, you won't need that answer.
Most software vendors who claim that their software needs to run as local admin (service or not) are basically telling you that their developers are too lazy or incompetent to document exactly what permissions their app needs in order to run with least privilege. If you have the time and patience, you can take the hard line with them and refuse to use their product until they fix it and provide proper least privilege documentation. If the app is more important to your business than your business is to the vendor, you're probably stuck complying with whatever ridiculous requirements they have.
As for running as SYSTEM instead of a local admin. Running as SYSTEM is actually less secure than a local admin account in my opinion. It has basic read access to your domain and whatever other permissions the computer account has been granted. It's harder to audit. It can do just as much damage to the local system as a local admin.
I would definitely use a purposefully defined service account for this app. Whether you use a local account or a domain account is up to you. Both get you better auditing. The local account won't have read access to the domain. The domain account is easier to manage centrally. Both can be added and removed from the local admins group with group policy. And obviously, adding a printer to a real account is easier than the SYSTEM account.