AppProfileSafe - Support Portal

Least-Privilege Recommendations

AppProfileSafe requires local administrator privileges because it reads and writes registry keys under HKEY_LOCAL_MACHINE and files in protected system folders. While the administrator requirement cannot be avoided, this page provides recommendations for limiting exposure in automated deployments.


Dedicated Service Account

For scheduled tasks and automated deployments, use a dedicated service account rather than a personal admin account or the built-in SYSTEM account. This provides auditability (the service account name appears in audit logs) and limits credential exposure.

Account Type Recommendation
Domain service account Create a dedicated account (e.g. svc_appprofilesafe) and add it to the local Administrators group on target machines. Use Group Policy Preferences or SCCM for group membership management.
gMSA (Group Managed Service Account) Preferred for environments that support it. Password management is automatic, and the account cannot be used for interactive logon. Add the gMSA to the local Administrators group.
Local SYSTEM Works for scheduled tasks but provides no user-level auditability. Audit log entries will show the machine account.


Network Share Permissions

When using UNC paths, apply the principle of least privilege to the network share:

  • Export share — The service account needs Read/Write on the NTFS folder and at least Change on the share permission. Other users should have Read-only access to prevent tampering with exported data.
  • Import share — The service account needs only Read access. Write access is not required because imports only read from the manifest data folder.
  • Per-user isolation — Create per-user subfolders (e.g. \\server\profiles$\%USERNAME%) and use Access-Based Enumeration (ABE) to prevent users from seeing other users' data.


Data Folder Permissions

The AppProfileSafe data folder (%ProgramData%\IT-Consulting Kinner\AppProfileSafe) contains configuration files, audit logs, and license files. Recommended permissions:

  • Administrators — Full control (required for operations)
  • SYSTEM — Full control (required for scheduled tasks running as SYSTEM)
  • Authenticated Users — Read only (allows non-admin users to view configuration but not modify it)

The audit log folder deserves special attention: restrict write access to the service account to prevent tampering with audit records.


Credential Storage

When using --unc-credential-store, credentials are stored in the Windows Credential Manager of the service account. These credentials are accessible only to the account that stored them. Avoid using --unc-password in production scripts, as the password may be visible in Task Scheduler properties, process listings, or script files.