Docker Community Forums

Share and learn in the Docker community.

Run a program with administrative rights in a dockerfile (Windows container)

Hello,

I use Docker Desktop on Windows 10 with Windows containers.
I need to produce a Docker image with Windows nano server 2019 but during the build process I need to run a program in the container with administrative rights (I don’t need administrative rights after the image is created, but just when building).

I can do it manually, it works fine:

  • docker run -it --name nano mcr.microsoft.com/windows/nanoserver:20H2 cmd.exe
  • exit
  • docker stop nano
  • docker cp MySetup.exe nano:/MySetup.exe
  • docker start nano
  • docker exec -it –user “NT Authority\System” nano C:\MySetup.exe
  • docker stop nano
  • docker commit nano mynanoimage

But I can’t do the same in a dockerfile
FROM mcr.microsoft.com/windows/nanoserver:20H2
COPY MySetup.exe /MySetup.exe
USER "NT Authority\System"
RUN “C:\MySetup.exe”
CMD cmd.exe

Docker build -t mynanoimage2 .
The command ‘cmd /S /C “C:\MySetup.exe”’ returned a non-zero code: 2
I can see in the output that an access was denied, as if USER “NT Authority\System” was ignored.

Am I missing something?

Thank you for your help,

Michel Terrisse

I tried to add the current user ContainerUser to the group but couldn’t do it because ContainerUser like ContainerAdministrator are built-in virtual accounts and can’t be added to groups.

Anyway, I don’t think access rights have are the problem here because it works fine if I run the commands in a container, it just fails with docker build and a dockerfile.

Note that I tried this from a dockerfile:

RUN "net user /add MySetupUser MyPassword"

It fails with an access denied error.

But

USER ContainerAdministrator
RUN "net user /add MySetupUser MyPassword"

runs successfully. So the command USER ContainerAdministrator does the job here.

But if I call

USER ContainerAdministrator
RUN C:\MySetup.exe

it fails. The API that fails is CertAddCertificateContextToStore when trying to add a certificate to “MY” certificate store.

I can’t understand why it works fine with docker run and not with docker build.