|
Posted by Roger Abell [MVP] on February 23, 2007, 11:54 am
Please log in for more thread options Thanks for the post-back and KB (a little troubled about its
granting to Authenticated Users though, at least for multi-domain
forests).
Roger
>>
>>
>> > On Windows 2000 all one had to be to list all services resident was to
>> > be a member of the Power Users group. On Windows Server 2003, that is
>> > no longer sufficient. I can create GPO's or set the ACL for
>> > manipulating individual *known* services, but I need to be assign the
>> > user right to be able to manipulate or simply list all services
>> > without giving local administrator access. What are my options?
>>
>> As you have implied, it is a little challenging to do this via
>> Services section of GPO as one needs to have all possible
>> services in the GPO.
>>
>> Are you familiar with the sc command?
>> sc <machine> query
>> for list of services instanced on the remote <machine>
>> thence use of sc's sdshow and sdset commands to show
>> and set the security descriptor for specific services,
>> using SDDL syntax (search MSDN for SDDL if needed).
>>
>> Roger
>
> I actually was trying both services.msc and the sc command, and it
> failed both ways with an access denied message. It turns out it was
> Windows 2003 SP1 issue not a problem with RTM version. Microsoft
> changed the security in that version for the services. I discovered
> this after a call to Microsoft support (and 2 hours). The problem is
> not so much with security or permission to the actual services, but to
> the Service Control Manager. Here is the link:
> http://support.microsoft.com/kb/907460
>
> Here is the command you have to run:
> sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)
> (A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
>
> Thanks for your help.
>
| 
XML Sitemap