Click here to get back home

Service control manager
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Service control manager man1nvan 05-16-2007
Posted by man1nvan on May 16, 2007, 6:08 pm
Please log in for more thread options
 Have spent 2 days trying to enable a standard user to stop and start a
service on a server, have done the sddl stuff on the services and can stop
and start remotely, but want the users (dba's) to be able to use an mmc or
computer management, but keep getting..service control manager access denied
stuff!, does anyone out there know how to permission the service control
manager in 2003 r2?


Posted by Roger Abell [MVP] on May 17, 2007, 3:02 am
Please log in for more thread options
> Have spent 2 days trying to enable a standard user to stop and start a
> service on a server, have done the sddl stuff on the services and can stop
> and start remotely, but want the users (dba's) to be able to use an mmc or
> computer management, but keep getting..service control manager access
> denied stuff!, does anyone out there know how to permission the service
> control manager in 2003 r2?

Take a look at http://support.microsoft.com/kb/907460
but also look up SDDL syntax on MSDN as the "example offered",
as the KB directs one to use, grants to Authenticate Users which is
something you would likely wish to modify to some SCMallowed
group holding your DBAgrp. i.e. mod AU of A;;CCLCRPRC;;;AU
replacing with SID of your custom group.

Note: Don't just go to sc and wing it via its help as you will not find
mentioned use of name SCMANAGER as a target of the sdset action,
well maybe by now for some version.

Roger



Posted by Joe Richards [MVP] on May 17, 2007, 3:19 pm
Please log in for more thread options
The issue is that in SP1 they made a change to the ACL on the Service
Control Manager, basically they took away the right to enumerate the
services and many apps, especially GUI apps, will not work without the
ability to enumerate. My SvcUtil will work fine without being able to
enumerate as will SC but they are CLI based tools.

http://www.joeware.net/freetools/tools/svcutil/index.htm

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


man1nvan wrote:
> Have spent 2 days trying to enable a standard user to stop and start a
> service on a server, have done the sddl stuff on the services and can
> stop and start remotely, but want the users (dba's) to be able to use an
> mmc or computer management, but keep getting..service control manager
> access denied stuff!, does anyone out there know how to permission the
> service control manager in 2003 r2?

Similar ThreadsPosted
restricting user to control of one service? April 11, 2006, 5:58 pm
Windows Key Manager April 3, 2006, 2:53 pm
Disable ALL Lan Manager Authentication September 20, 2005, 7:15 am
Users tab in Task Manager on Windows 2003 November 10, 2005, 12:28 pm
Granting Rights to Processes in Task Manager May 3, 2006, 8:15 am
Re: Remote Access Connection Manager auto-starts (and can't be stopped) July 6, 2006, 4:17 pm
Allow power users to "Show Processes From All Users" in Task Manager May 25, 2007, 6:38 pm
Login Control November 16, 2005, 9:48 pm
Bandwith control November 21, 2005, 3:18 pm
Access Control to LDAP on AD? October 14, 2005, 9:20 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap