I am confused how the Installer/ADS Service are setting the ACL on the windows folders used by the ADS Service:
- AMP-Datastore is owned by SYSTEM
- instances.json is owned by Administrators (missing owner or Network Service)
- ADS Service runs under Network Service
This ends up in ADS-Service not being able to change the instances.json, because Network Service is neither owner or administrator.
To rely on the *owner might not be good idea and running a service as Network Service* that evolves over time (creating new folders and ip bindings), can be tricky. This is well documented for IIS, where you have a special users IIS_IUSRS etc. to deal with access rights / security.