Help files

WinAutomation Deployment

Both the WinAutomation Server and MachineAgent services are set by default to run under the LocalSystem account. This special account has full access to the local computer. As stated in this Microsoft article:

" One advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. This is also the disadvantage of LocalSystem because a LocalSystem service can do things that would bring down the entire system. In particular, a service running as LocalSystem on a domain controller (DC) has unrestricted access to Active Directory Domain Services. This means that bugs in the service, or security attacks on the service, can damage the system or, if the service is on a DC, damage the entire enterprise network. "

Considering the possible security risks we strongly recommend for all users to adopt best practices on assigning the most secure logon account for the WinAutomation services, as described in this Microsoft article.

The WinAutomation MachineAgent needs to run under the LocalSystem account for the unattended automation: schedules and triggers that can fire even when the user is logged off (in which case WinAutomation needs to perform an automatic login). This is not required, however, for the WinAutomation Server. In order to be able to apply the appropriate logon account, the administrator of the system must have some insight on how the WinAutomation Server works.

The WinAutomation Server is responsible for managing all data in the system, both server-related and user-related. This data is stored in the following locations:

<C>:\ProgramData\Softomotive\WinAutomation

<C>:\Users\<Username>\AppData\Local\Softomotive\WinAutomation

<C>:\Users\<Username>\Documents\WinAutomation

where <C> is the default drive, and <Username> is the name of the user.

The WinAutomation Server needs full access to the above folders.

The best choice for a logon account would be a local user that has the required access to the above folders. If WinAutomation is installed for a single user, then this user could act as the logon account, provided that full access permissions are assigned for folder <C>:\ProgramData\Softomotive\WinAutomation. If WinAutomation is installed for multiple users in the same machine, then a higher-privileged user (but not a System Administrator) should be selected by the administrator of the system with access to the above folders for all users of WinAutomation.