Restrict user to only run programs on Windows server 2012 R2

I have a situation here I hope You can help me with. I have a Database running on a Windows Server 2012 R2 with a specific user account. Same user account is running a Windows Service. This Service does some work, and does some updates on the DB. This works quite good so far.

Now this Service has to run an external process at some point. And I do that with ProcessStartInfo And Process.Start. Which gives the following exception:

System.ComponentModel.Win32Exception (0x80004005): Access is denied at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo) at System.Diagnostics.Process.Start() at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)

According to this stackoverflow answer I have to add this user (Active directory user) to the server. As it is now, the user doesn't have access to the server.

And I actually want to keep it this way and only give the user access to start processes (programs) without having access to the server.

Is that possible or am I on a wrong path?

Control Panel >> User Accounts >> Manage User Acconts >> Add... will probably do the work, but I have no idea which level of access I have to choose in the list of access levels.

Ok, I think the Exception is a little bit misleading. It seemed like the user wasn't allowed to run the application, but the real problem was that the user didn't had any access to the Directory where the application was located.

• Changing the security settings of the folder to allow Read & Execute rights to the user will fix this problem.

This way there is no need to add the user to the server.