SharePoint: stsadm is executed from timer job + SharePoint / system permissions
I have an unusual situation in which I need a SharePoint timer job to both have local administrator windows privileges and to have
SHAREPOINT\System SharePoint privileges.
I can get the windows privileges by simply configuring the timer service to use an account which is a member of local administrators. I understand that this is not a good solution since it gives SharePoint timer service more rights then it is supposed to have. But it at least allows my SharePoint timer job to run
Another problem with running the timer service under local administrator is that this user won't necessarily have
SHAREPOINT\System SharePoint privileges which I also need for this SharePoint job. It turns out that
SPSecurity.RunWithElevatedPrivileges won't work in this case. Reflector shows that
RunWithElevatedPrivileges checks if the current process is
owstimer (the service process which runs SharePoint jobs) and performs no elevation this is the case (the rational here, I guess, is that the timer service is supposed to run under
NT AUTHORITY\NetworkService windows account which which has
SHAREPOINT\System SharePoint privileges, and thus there's no need to elevate privileges for a timer job).
The only possible solution here seems to be to run the timer service under its usual NetworkService windows account and to run stsadm as a local administrator by storing the administrator credentials somewhere and passing them to System.Diagnostics.Process.Run() trough the StarInfo's Username, domain and password.
It seems everything should work now, but here is another problem I'm stuck with at the moment. Stsamd is failing with the following error popup (!) (Winternals filemon shows that stsadm is running under the administrator in this case):
The application failed to initialize properly (0x0c0000142).
Click OK to terminate the application.
Event Viewer registers nothing except the popup.
The local administrator user is my account and when I just run
stsadm interactively under this account everything is ok. It also works fine when I configure the timer service to run under this account.
Any suggestions are appreciated :)