Grooper Service: Difference between revisions

Latest revision as of 13:38, 11 June 2026

Grooper Services are various executable programs that run as a Windows Service to facilitate Grooper processing. Service instances are installed, configured, started and stopped using Grooper Command Console (or in older Grooper versions, Grooper Config).

About

Services are utilities that perform specialized operations within the Grooper environment. The two most common Grooper Services are "Activity Processing" and "Import Watcher".

Activity Processing is a service that executes processing jobs and tasks in a Batch Process. Running one or more Activity Processing services allows your system to automate Activity tasks when processing document content in a Batch.
Import Watcher is a service that watches an assigned external storage location, like a Windows folder or an email inbox, and will import its contents into Grooper at designated times or polling cycles. Running one or more Import Watcher services allows your system to automate Batch creation from file content.

Service instances are installed and managed from Grooper Command Console (GCC) using the services commands. More information on installing and managing services can be found in this section of the Grooper Command Console article.

Service types

There are currently 6 different Grooper Services you can install.

Activity Processing - Executes Activities which perform the work associated with steps in a Batch Process.
API Services - Exposes a set of API endpoints, enabling 3rd party applications to interact with the Grooper Repository.
Grooper Licensing - Distributes Grooper licensing to workstations when using the "self-hosted" licensing method.
Import Watcher - Schedules and runs Import jobs to import file content into Grooper.
Indexing Service - Synchronizes data to AI Search indexes as documents are added, edited and deleted from the Grooper Repository.
System Maintenance Service - Runs the "System Maintenance" command on a recurring schedule.

Installing Services

Services are installed from Grooper Command Console using the following command:

services install <connectionNo> <typeName> <userName> <password>

<connectionNo> - Enter the Grooper Repository connection number for which the service is installed.
- Unsure what the Grooper Repository's connection number is? Use the connections list to display all Grooper Repository connections.
<typeName> - Enter the Grooper Service's type name for the service you wish to install.
- Unsure what the Service's type name is? Just enter the first three letters.
  - Activity Processing = act
  - Import Watcher = imp
  - Indexing Service = ind
  - API Services = api
  - System Maintenance Service = sys
  - Licensing = lic
<userName> - Enter the service user's account name.
<password> - Enter the service user's password.

Once installed, Grooper Services should be managed from the Design page using the Machines node. See below for more information.

Managing services from the Design page

Managing services typically involves:

Starting a service
Stopping a service
Editing a service

While it is possible to do some of these things from Grooper Command Console, it is generally easiest to do so from the Design page.

To manage services from the Design page:

Go to the Design page.
Navigate to the "Machines" folder.
To select a service instance first either:
- From the "Machines" tab, select the machine where the service is installed.
- Or, select the "Services" tab to view all services installed on all machines connected to the Grooper Repository.
Select the service instance you wish to manage.
To start the service, press the "Start" button (play_circle).
To stop the service, press the "Stop" button (stop_circle).
To edit the service instance:
1. First stop the service (play_circle).
2. Edit the "Service Properties" as needed.
3. Press the "Save" button (save).
4. Last, start the service (stop_circle).

Things you can't do from the Design page

There are certain things you cannot do from the Design page.

You can't install a service from the Design page.

Services are installed from Grooper Command Console.

You can't uninstall a service from the Design page.

Services are uninstalled from Grooper Command Console.

You can't change a service user/password from the Design page.

You must change a service user (or their password) from the Windows Services system application.

Open the "Services" app.
Search for the Grooper service instance (It will be named like the following: Grooper {ServiceTypeName}, Instance {##}).
Right click it and select "Properties".
Go to "Log On".
Adjust the service user as needed.
Press "Apply" or "OK" when finished.

Additional info

Least-privileged service accounts

Minimum service user rights

Grooper services — such as the Activity Processing service — run under dedicated Windows service accounts to automate task processing for Batches. These accounts must be granted a minimum set of permissions to execute tasks.

From a security standpoint, service accounts should be granted only the permissions required for their function. It is unadvisable to grant full local administrator privileges or elevated database roles to any Grooper service account.

Permission	Type	Where to Configure	Reason
Local Users Group	Local	Computer Management → Local Users and Groups → Groups → Users	Grants rights to run installed applications, including Grooper
File Store Access	NTFS / Share	Windows Explorer → Folder Properties → Security (NTFS) and/or Share Permissions	Read and write access to the Grooper file store location
Database Access	SQL Server	SQL Server Management Studio → Security → Logins → [account] → User Mapping → [GrooperDB]	Read and write access to the Grooper database. Grant db_datareader and db_datawriter on the Grooper database.
Logon As Service	Local Security Policy	Local Security Policy → Local Policies → User Rights Assignment → Log on as a service	Required to run services installed via Grooper Command Console

Note: These permissions are sufficient for Activity Processing services and serve as a baseline for all Grooper services. Other Grooper services may require additional permissions depending on their function. For example, an Import Watcher service account may need read access to directories used as import sources. Always scope additional permissions to the minimum required for that service's specific function.

Services with "Error" statuses

A common issue will occur with least-privileged accounts. This can cause some user confusion.

A service with an error status.

When viewing services from the Machines node on the Design page you may see services with an error status.

"Error" is a general status Grooper uses when it can't determine if a service is running or stopped.
Most typically, "Error" indicates the query to get the service's status has failed.
In this case, the entity checking the status (the Grooper app pool user in IIS) does not have permission to check the service's status.
This doesn't necessarily mean the service is not running (nor does it mean it's stopped). It just means the app pool user can't verify its status.

This issue does not occur when service accounts have administrator rights, as broad access is granted by default. For least-privileged accounts, however, the service DACL must be explicitly modified to grant the rights needed to query status, start, and stop the service.

Example Scenario:

The Grooper Web Client is installed on web server named GRPWEB01. The user "DOMAIN\grooperapp" is the app pool user in IIS
Grooper Activity Processing services are installed on a processing server named GRPACT01.
The user "DOMAIN\grooperapp" does not have permissions to access GRPACT01. So, it cannot verify the status of services installed on that machine.
When any user opens up the Grooper web app, they will see the services installed on GRPACT01 listed with an "Error" status.

Addressing "ghost services" - Deleting services from Windows

Very rarely, a Grooper service will not uninstall properly when you uninstall a Grooper service instance. Or, a user may delete a Grooper Repository connection or purge a Grooper Repository without uninstalling services first.

This can make it appear as though a duplicate or "ghost" Windows service is installed without being listed in GCC (or Grooper Config before version 2024).

If this does occur, you will need to manually delete the service. If you know the name of the service instance you need to delete (something like Grooper.ServiceTypeName.##), you can use the following command lines to stop the service (if necessary) and manually delete it.

SC STOP Grooper.ServiceTypeName.##
SC DELETE Grooper.ServiceTypeName.##

OR

You can delete the service from the Windows Registry Editor, using the following steps:

Open the Registry Editor (regedit.exe)
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Select the key of the service you want to delete.
- Grooper services will always be named something like Grooper.ServiceTypeName.##
From the "Edit" menu select "Delete.
You will be prompted "Are you sure you want to delete this Key?". Click Yes.
Exit the Registry Editor.

@@ Line 15: / Line 15: @@
 * [[Activity Processing]] - Executes Activities which perform the work associated with steps in a Batch Process.
 * [[API Services]] - Exposes a set of API endpoints, enabling 3rd party applications to interact with the Grooper Repository.
-* [[Grooper Licensing]] - Dstributes Grooper licensing to workstations when using the "self-hosted" licensing method.
+* [[Grooper Licensing]] - Distributes Grooper licensing to workstations when using the "self-hosted" licensing method.
 * [[Import Watcher]] - Schedules and runs Import jobs to import file content into Grooper.
 * [[Indexing Service]] - Synchronizes data to [[AI Search]] indexes as documents are added, edited and deleted from the Grooper Repository.
 * [[System Maintenance Service]] - Runs the "System Maintenance" command on a recurring schedule.
+== Installing Services ==
+Services are installed from [[Grooper Command Console]] using the following command:
+<pre>services install <connectionNo> <typeName> <userName> <password></pre>
+* <code><connectionNo></code> - Enter the Grooper Repository connection number for which the service is installed.
+**<li class="fyi-bullet">Unsure what the Grooper Repository's connection number is? Use the <code>connections list</code> to display all Grooper Repository connections.
+* <code><typeName></code> - Enter the Grooper Service's type name for the service you wish to install.
+**<li class="fyi-bullet"> Unsure what the Service's type name is? Just enter the first three letters.
+*** Activity Processing = <code>act</code>
+*** Import Watcher = <code>imp</code>
+*** Indexing Service = <code>ind</code>
+*** API Services = <code>api</code>
+*** System Maintenance Service = <code>sys</code>
+*** Licensing = <code>lic</code>
+* <code><userName></code> - Enter the service user's account name.
+* <code><password></code> - Enter the service user's password.
+Once installed, Grooper Services should be managed from the Design page using the Machines node. See below for more information.
 == Managing services from the Design page ==
@@ Line 68: / Line 87: @@
 # Press "Apply" or "OK" when finished.
+<!--- This pertains to Brad's fix for the "Error" notification. Dylan needs to review his documentation and figure out the best way to incorporate it in the wiki
 === Troubleshooting security issues ===
 COMMING SOON! ARTICLE IN PROGRESS
+--->
 == Additional info ==
-=== Service user rights ===
+=== Least-privileged service accounts ===
+==== Minimum service user rights ====
+{{LeastPrivilegeServiceAccounts}}
+<!--- WIP uncomment once I can verify everything works
+==== Viewing, starting and stopping services with least-privileged service accounts ====
+This guidance assumes a single Grooper service account is used for both the Grooper app pool and Grooper services.
+'''Prerequisites'''
+* Domain service account created (e.g. domain\svc_account)
+* Account is NOT a member of local Administrators on the web server (or processing servers in distributed setups). ''Admin group membership causes UAC token filtering that silently blocks remote service operations even when all DACLs are correctly configured.''
+* Account has "Logon As Service " right (secpol.msc > Local Policies > User Rights Assignment)
+* The Admin configuring the least-privileged service account must have Administrator rights to run PowerShell scripts on the target server(s).
+* The service account must have Read/Write permissions to the Grooper file store's Windows folder location.
+* The service account must have <code>db_datareader</code> and <code>db_datawriter</code> roles for the Grooper database.
-The Grooper Service user account must have the following permissions:
+===== For single-server setups =====
+If the Grooper web client and activity processing services are installed on the same server, rights can be granted with single script that modifies the service DACL.
+This script grants the minimum SDDL rights needed to query, start and stop a specific service.
 {|class="wikitable"
-|
+|'''Code'''||'''Right||'''Reason Included'''
-'''Permission'''
+|-
-|
+|CC||Query Config||Required by .NET ServiceController to open the service handle
-'''Type'''
-|
-'''Reason'''
 |-
-|
+|LC||Query Status||Required to read current service state
-Users
-|
-Local
-|
-Run the installed applications (Grooper)
 |-
-|
+|RP||Start||Required to start the service
-File store access
-|
-NTFS\Share
-|
-Read and write access to the Grooper file store location
 |-
-|
+|WP||Stop||Required to stop the service
-Database access
-|
-SQL
-|
-Read and write access to the Grooper database
 |-
-|
+|RC||Read Control||Required to read the security descriptor
-Logon As Service
-|
-Local Security Policy
-|
-Run services installed via Grooper Command Console
 |}
-''These are the minimum permissions required by the Activity Processing service's user account. Other Grooper services may require additional permissions. For example, an Import Watcher's user may need access to directories used for importing file content.''
+This script can be run directly from the PowerShell console.
+# Open '''PowerShell ISE''' as an administrator.
+# Add a new script.
+# Copy the script below and paste it into the editor in PowerShell.
+# Replace "YourServiceName" and "domain\svc_account" with appropriate values
+# Run the script from PowerShell.
+# You will be prompted to enter the service account's name (e.g. domain\svc_account) and the name for the Grooper service.
+#*<li class="fyi-bullet"> The service name is '''not''' the display name. It will look something like <code>Grooper.ServiceType.##</code>. If you do not know the service name, go to the '''Design''' page in Grooper. Then, select the '''Machines''' folder node. Find the service from here, or select the '''Services''' tab to locate it. Select the service and inspect its '''Service Name''' value in the property grid under "Service Settings".
+*<li class="attn-bullet">'''Be sure to replace "YourServiceName" and "domain\svc_account" with appropriate values.'''
+<pre>
+$ServiceName = "YourServiceName"
+$AccountName = "domain\svc_account"
+$sid = ([System.Security.Principal.NTAccount]$AccountName).Translate([System.Security.Principal.SecurityIdentifier]).Value
+$serviceSddl = "D:(A;;CCLCRPWPRC;;;$sid)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
+$template = @"
+[Unicode]
+Unicode=yes
+[Version]
+signature="`$CHICAGO`$"
+Revision=1
+[Service General Setting]
+"$ServiceName",2,"$serviceSddl"
+"@
+$infPath = "$env:TEMP\grant-$ServiceName.inf"
+$dbPath  = "$env:TEMP\grant-$ServiceName.sdb"
+$template | Set-Content -Path $infPath -Encoding Unicode
+secedit.exe /configure /db $dbPath /cfg $infPath /areas SERVICES /log "$env:TEMP\grant-$ServiceName.log"
+</pre>
+===== For distributed server setups =====
+When Grooper
+-->
+<!-- PowerShell script to grant a service account with logon-as-service rights
+$account = "domain\svc_account"
+$tempInf = "$env:TEMP\logon-as-service.inf"
+$tempDb  = "$env:TEMP\logon-as-service.sdb"
+$template = @"
+[Unicode]
+Unicode=yes
+[Version]
+signature="`$CHICAGO`$"
+Revision=1
+[Privilege Rights]
+SeServiceLogonRight = $account
+"@
+$template | Set-Content -Path $tempInf -Encoding Unicode
+secedit.exe /configure /db $tempDb /cfg $tempInf /areas USER_RIGHTS
+-->
+==== Services with "Error" statuses ====
+A common issue will occur with least-privileged accounts. This can cause some user confusion.
+[[File:2025Wiki GrooperServices ErrorStatus.png|thumb|right|600px|A service with an error status.]]
+When viewing services from the Machines node on the Design page you may see services with an error status.
+* "Error" is a general status Grooper uses when it can't determine if a service is running or stopped.
+* Most typically, "Error" indicates the '''query''' to get the service's '''status''' has failed.
+* In this case, the entity checking the status (the Grooper app pool user in IIS) does not have permission to check the service's status.
+* This doesn't necessarily mean the service is not running (nor does it mean it's stopped). It just means the app pool user can't verify its status.
+This issue does not occur when service accounts have administrator rights, as broad access is granted by default. For '''least-privileged''' accounts, however, the service DACL must be explicitly modified to grant the rights needed to query status, start, and stop the service.
+Example Scenario:
+* The Grooper Web Client is installed on web server named GRPWEB01. The user "DOMAIN\grooperapp" is the app pool user in IIS
+* Grooper Activity Processing services are installed on a processing server named GRPACT01.
+* The user "DOMAIN\grooperapp" does not have permissions to access GRPACT01. So, it cannot verify the status of services installed on that machine.
+* When any user opens up the Grooper web app, they will see the services installed on GRPACT01 listed with an "Error" status.
 === Addressing "ghost services" - Deleting services from Windows ===
-Very rarely, a Grooper service will not uninstall properly when you uninstall a Grooper service service. Or, a user may delete a Grooper Repository connection or purge a Grooper Repository without uninstalling services first.
+Very rarely, a Grooper service will not uninstall properly when you uninstall a Grooper service instance. Or, a user may delete a Grooper Repository connection or purge a Grooper Repository without uninstalling services first.
 This can make it appear as though a duplicate or "ghost" Windows service is installed without being listed in GCC (or Grooper Config before version 2024).
-If this does occur, you will need to manually delete the service.  If you know the name of the service instance (something like <code>Grooper.ServiceTypeName.##</code>) you need to delete, you can use the following command lines to stop the service (if necessary) and manually delete it.
+If this does occur, you will need to manually delete the service.  If you know the name of the service instance you need to delete (something like <code>Grooper.ServiceTypeName.##</code>), you can use the following command lines to stop the service (if necessary) and manually delete it.
 <pre>