Click here to get back home

Service writing on Win2003 remotely.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Service writing on Win2003 remotely. Ricardo Vazquez 10-26-2007
Posted by Ricardo Vazquez on October 26, 2007, 8:59 am
Please log in for more thread options
 Hi everybody,

MY PROBLEM:
An application I've developed as a Windows Service, which is running at a
Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server
(ANDROMEDA), to a shared folder called "Recordings".
--> None of them are a domain server (no active-directory)
--> None of them are in any domain at all.
Both of them are in a work-group called SSSHHHH.
I add full control permision in Andromeda's folder "Recordings" for user
"Ricardo", which I created in Andromeda; and also full permision for user
"Everyone" (thanks to user "Everyone" my service has been working fine
before Win2003). I have added this permisions in both tabs "Sharing" and
"Security" in folder properties.

If opened manually from Correo, it asks me for user and password: I enter
"ANDROMEDA\Ricardo", and it opens the folder and I can actually write.

But my service can not: "Error MoveFile: Access denied".
It seems to be logical, since the "user" (account) which runs the service is
"LocalSystem" and not "ANDROMEDA\Ricardo".


SOLUTIONS THAT I'VE TRIED:
Possible solutions I've thought of?
- Either I give permision to that Correo's "LocalSystem" on Andromeda to
write on "Recordings"
- Or I make the service run with another user-password:
"ANDROMEDA\Ricardo", as I did when I manually opened the folder.

I fail to carry out any of the two solutions:

The first solution:
According to the documentation that I found on the internet, Local System
account appears on the network as DOMAIN\<machine name>$:
http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH
But here we have no "domain".
I still attempted to give permission in folder "Recordings" to CORREO$,
didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I
also tried without the "$": nothing.
Then I tried using the user-list (Add / Advanced / Search now - there is no
more "location" that the very local pc), and I added total permision both
Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",
"SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see if
any of this users would ring the bell... Nothing!

The second solution:
Change the user that runs my service to ANDROMEDA\Ricardo.
I tried to change it ("Session start" tab in my service properties), but
clicking "Apply" it won't let me, poping-up that "The name of the account is
invalid or does not exist, or the password is invalid for the account name
specified."
Then I tried to change the account to "network service", -this account
sounded so well to me-, "AUTHORITY\NetworkService". But when I try to start
my service it quickly stopped: "The service has not responded to the
petition after an adequate time"; but it says this after just a second! It
doesn't look like a real timeout. Rather, it seems that not any service can
manually switch and use this "network service" account.


So, I can't think of any other solution!
I am newbie to networks and servers ... I do not know what I can do!

Could anyone please help me?


Thank you very much!


Ricardo Vázquez.
Madrid, Spain.
















Posted by Martin X. on October 26, 2007, 11:23 am
Please log in for more thread options
 Hola,

I don't if you tried this yet, but did you create an account with the same
exact username and password on both servers? Configure your service to use
that account/password. Using the account on either server will give you
access to the other server.

--
Regards,
Martin X.
MCSA: M


Hi everybody,

MY PROBLEM:
An application I've developed as a Windows Service, which is running at a
Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server
(ANDROMEDA), to a shared folder called "Recordings".
--> None of them are a domain server (no active-directory)
--> None of them are in any domain at all.
Both of them are in a work-group called SSSHHHH.
I add full control permision in Andromeda's folder "Recordings" for user
"Ricardo", which I created in Andromeda; and also full permision for user
"Everyone" (thanks to user "Everyone" my service has been working fine
before Win2003). I have added this permisions in both tabs "Sharing" and
"Security" in folder properties.

If opened manually from Correo, it asks me for user and password: I enter
"ANDROMEDA\Ricardo", and it opens the folder and I can actually write.

But my service can not: "Error MoveFile: Access denied".
It seems to be logical, since the "user" (account) which runs the service is
"LocalSystem" and not "ANDROMEDA\Ricardo".


SOLUTIONS THAT I'VE TRIED:
Possible solutions I've thought of?
- Either I give permision to that Correo's "LocalSystem" on Andromeda to
write on "Recordings"
- Or I make the service run with another user-password:
"ANDROMEDA\Ricardo", as I did when I manually opened the folder.

I fail to carry out any of the two solutions:

The first solution:
According to the documentation that I found on the internet, Local System
account appears on the network as DOMAIN\<machine name>$:
http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH
But here we have no "domain".
I still attempted to give permission in folder "Recordings" to CORREO$,
didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I
also tried without the "$": nothing.
Then I tried using the user-list (Add / Advanced / Search now - there is no
more "location" that the very local pc), and I added total permision both
Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",
"SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see if
any of this users would ring the bell... Nothing!

The second solution:
Change the user that runs my service to ANDROMEDA\Ricardo.
I tried to change it ("Session start" tab in my service properties), but
clicking "Apply" it won't let me, poping-up that "The name of the account is
invalid or does not exist, or the password is invalid for the account name
specified."
Then I tried to change the account to "network service", -this account
sounded so well to me-, "AUTHORITY\NetworkService". But when I try to start
my service it quickly stopped: "The service has not responded to the
petition after an adequate time"; but it says this after just a second! It
doesn't look like a real timeout. Rather, it seems that not any service can
manually switch and use this "network service" account.


So, I can't think of any other solution!
I am newbie to networks and servers ... I do not know what I can do!

Could anyone please help me?


Thank you very much!


Ricardo Vázquez.
Madrid, Spain.

















Posted by Ricardo Vazquez on October 29, 2007, 6:25 am
Please log in for more thread options
Hola Martin! :-)

I'm afraid it did not work...

The reason could be that Correo (Win2000) lets ".\ Ricardo" to be the user
for my service (if I enter "Ricardo" it corrects it as ".\Ricardo").

But Andromeda won't let me set permisions for ".\ Ricardo" (Shared and
Security tabs) in shared folder "Recordings", but "ANDROMEDA\Ricardo"! If I
enter ".\Ricardo" or just "Ricardo" Win2003 corrects it as
"ANDROMEDA\Ricardo".

I guess this is the problem why Andromeda (Win2003) will not consider the
service and the folder users to be the same "Ricardo" user, so it will not
let the service access the folder.

I tried and got the same error: Access Denied...

Can you think of any other possibility?

Thank you very much, Martin!

Kind regards,

Ricardo.

> Hola,
>
> I don't if you tried this yet, but did you create an account with the same
> exact username and password on both servers? Configure your service to use
> that account/password. Using the account on either server will give you
> access to the other server.
>
> --
> Regards,
> Martin X.
> MCSA: M
>
>
> Hi everybody,
>
> MY PROBLEM:
> An application I've developed as a Windows Service, which is running at a
> Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server
> (ANDROMEDA), to a shared folder called "Recordings".
> --> None of them are a domain server (no active-directory)
> --> None of them are in any domain at all.
> Both of them are in a work-group called SSSHHHH.
> I add full control permision in Andromeda's folder "Recordings" for user
> "Ricardo", which I created in Andromeda; and also full permision for user
> "Everyone" (thanks to user "Everyone" my service has been working fine
> before Win2003). I have added this permisions in both tabs "Sharing" and
> "Security" in folder properties.
>
> If opened manually from Correo, it asks me for user and password: I enter
> "ANDROMEDA\Ricardo", and it opens the folder and I can actually write.
>
> But my service can not: "Error MoveFile: Access denied".
> It seems to be logical, since the "user" (account) which runs the service
> is
> "LocalSystem" and not "ANDROMEDA\Ricardo".
>
>
> SOLUTIONS THAT I'VE TRIED:
> Possible solutions I've thought of?
> - Either I give permision to that Correo's "LocalSystem" on Andromeda to
> write on "Recordings"
> - Or I make the service run with another user-password:
> "ANDROMEDA\Ricardo", as I did when I manually opened the folder.
>
> I fail to carry out any of the two solutions:
>
> The first solution:
> According to the documentation that I found on the internet, Local System
> account appears on the network as DOMAIN\<machine name>$:
>
http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH
> But here we have no "domain".
> I still attempted to give permission in folder "Recordings" to CORREO$,
> didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I
> also tried without the "$": nothing.
> Then I tried using the user-list (Add / Advanced / Search now - there is
> no
> more "location" that the very local pc), and I added total permision both
> Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",
> "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see
> if
> any of this users would ring the bell... Nothing!
>
> The second solution:
> Change the user that runs my service to ANDROMEDA\Ricardo.
> I tried to change it ("Session start" tab in my service properties), but
> clicking "Apply" it won't let me, poping-up that "The name of the account
> is
> invalid or does not exist, or the password is invalid for the account name
> specified."
> Then I tried to change the account to "network service", -this account
> sounded so well to me-, "AUTHORITY\NetworkService". But when I try to
> start
> my service it quickly stopped: "The service has not responded to the
> petition after an adequate time"; but it says this after just a second! It
> doesn't look like a real timeout. Rather, it seems that not any service
> can
> manually switch and use this "network service" account.
>
>
> So, I can't think of any other solution!
> I am newbie to networks and servers ... I do not know what I can do!
>
> Could anyone please help me?
>
>
> Thank you very much!
>
>
> Ricardo Vázquez.
> Madrid, Spain.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>



Posted by Martin X. on October 30, 2007, 10:27 am
Please log in for more thread options
Let's try this from the beginning.



1) Create a regular user account named RICARDO on the CORREO Windows
2000 Server server. Give it the password "password123".

2) Create a regular user account named RICARDO on the Windows Server
2003 server ANDROMEDA, also with the password "passsword123".

3) As you mentioned, you created a folder and share on CORREO named
RECORDINGS. Give ANDROMEDA\RICARDO full permissions in both tabs "Sharing"
and "Security" in folder properties.

4) Logon to CORREO as RICARDO.

5) Go to START > RUN and type in \ANDROMEDA\RECORDINGS. See what
happens.

6) If that works ok, then on CORREO you need to give CORREO\RICARDO the
user rights to run as a service. See
http://help.globalscape.com/help/secureserver3/Log_the_server_on_as_a_service.htm
and
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/546.mspx?mfr=true



If steps 1-5 still do not work, it could be some type of NTLM authentication
issue because Windows Server 2003 has some differences in how it
authenticates when compared to Windows 2000 Server. Check out the article
NTLM user authentication in Windows:
http://support.microsoft.com/kb/102716/en-us. Actually, if you have access,
try using a Windows XP or Windows Server 2003 computer instead of the
Windows 2000 Server computer.



--
Regards,
Martin X.
MCSA: M

Hola Martin! :-)

I'm afraid it did not work...

The reason could be that Correo (Win2000) lets ".\ Ricardo" to be the user
for my service (if I enter "Ricardo" it corrects it as ".\Ricardo").

But Andromeda won't let me set permisions for ".\ Ricardo" (Shared and
Security tabs) in shared folder "Recordings", but "ANDROMEDA\Ricardo"! If I
enter ".\Ricardo" or just "Ricardo" Win2003 corrects it as
"ANDROMEDA\Ricardo".

I guess this is the problem why Andromeda (Win2003) will not consider the
service and the folder users to be the same "Ricardo" user, so it will not
let the service access the folder.

I tried and got the same error: Access Denied...

Can you think of any other possibility?

Thank you very much, Martin!

Kind regards,

Ricardo.

> Hola,
>
> I don't if you tried this yet, but did you create an account with the same
> exact username and password on both servers? Configure your service to use
> that account/password. Using the account on either server will give you
> access to the other server.
>
> --
> Regards,
> Martin X.
> MCSA: M
>
>
> Hi everybody,
>
> MY PROBLEM:
> An application I've developed as a Windows Service, which is running at a
> Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server
> (ANDROMEDA), to a shared folder called "Recordings".
> --> None of them are a domain server (no active-directory)
> --> None of them are in any domain at all.
> Both of them are in a work-group called SSSHHHH.
> I add full control permision in Andromeda's folder "Recordings" for user
> "Ricardo", which I created in Andromeda; and also full permision for user
> "Everyone" (thanks to user "Everyone" my service has been working fine
> before Win2003). I have added this permisions in both tabs "Sharing" and
> "Security" in folder properties.
>
> If opened manually from Correo, it asks me for user and password: I enter
> "ANDROMEDA\Ricardo", and it opens the folder and I can actually write.
>
> But my service can not: "Error MoveFile: Access denied".
> It seems to be logical, since the "user" (account) which runs the service
> is
> "LocalSystem" and not "ANDROMEDA\Ricardo".
>
>
> SOLUTIONS THAT I'VE TRIED:
> Possible solutions I've thought of?
> - Either I give permision to that Correo's "LocalSystem" on Andromeda to
> write on "Recordings"
> - Or I make the service run with another user-password:
> "ANDROMEDA\Ricardo", as I did when I manually opened the folder.
>
> I fail to carry out any of the two solutions:
>
> The first solution:
> According to the documentation that I found on the internet, Local System
> account appears on the network as DOMAIN\<machine name>$:
>
http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH
> But here we have no "domain".
> I still attempted to give permission in folder "Recordings" to CORREO$,
> didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I
> also tried without the "$": nothing.
> Then I tried using the user-list (Add / Advanced / Search now - there is
> no
> more "location" that the very local pc), and I added total permision both
> Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",
> "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see
> if
> any of this users would ring the bell... Nothing!
>
> The second solution:
> Change the user that runs my service to ANDROMEDA\Ricardo.
> I tried to change it ("Session start" tab in my service properties), but
> clicking "Apply" it won't let me, poping-up that "The name of the account
> is
> invalid or does not exist, or the password is invalid for the account name
> specified."
> Then I tried to change the account to "network service", -this account
> sounded so well to me-, "AUTHORITY\NetworkService". But when I try to
> start
> my service it quickly stopped: "The service has not responded to the
> petition after an adequate time"; but it says this after just a second! It
> doesn't look like a real timeout. Rather, it seems that not any service
> can
> manually switch and use this "network service" account.
>
>
> So, I can't think of any other solution!
> I am newbie to networks and servers ... I do not know what I can do!
>
> Could anyone please help me?
>
>
> Thank you very much!
>
>
> Ricardo Vázquez.
> Madrid, Spain.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>




Posted by Ricardo Vazquez on October 31, 2007, 1:57 pm
Please log in for more thread options
Great!! Thank you very much, Martin!
I have it working now!
But now I have another similar problem to ask about...

I have to go a step further:
My scenario so far was win2000 and win2003 without domain, in the same
working group; and my service running with the account "Ricardo", created
in both computers with the same name and password.

Now I need my service working in the following scenario:
- win2000 (CORREO) and win2003 (ANDROMEDA) **domain server**, that is: now
we have domain, which is: "ANDROMEDA2003.jusan"
- And I need my service account to be the services default account, that
is: "LocalSystem" (and not "Ricardo").

According to the documentation that I found on the internet, Local System
account appears on the network as DOMAIN\<machine name>$:
http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH

So I have added CORREO as a computer at:
Active Directory Users and Computers
'- ANDROMEDA2003.jusan
'- Computers

And then I've given full control permission (both in Security and Shared
tabs), folder "Recordings", to CORREO$ (ANDROMEDA2003\CORREO$).

With this, my service running on CORREO should be able to write on
\ANDROMEDA\Recordings... But it isn't! Again: Access denied.

What do you think of this?
Any other hints, or steps to follow...?

Kindest regards, thank you very much once again,

Ricardo.



Similar ThreadsPosted
Win2003 SP1 remotely restart service June 14, 2005, 1:02 pm
Allow user to restart service remotely July 27, 2007, 11:28 pm
Re: Previous post should say Grant user right to remotely start stop Service - can anybody help? March 10, 2006, 1:04 pm
Writing security rules for Server 2008 February 22, 2008, 9:36 pm
remotely administering Bastion servers April 2, 2007, 6:34 pm
Remotely query local policies January 10, 2008, 4:42 pm
Error in my security log when attempting to browse site remotely September 6, 2005, 3:20 pm
Re: Grant user right to remotely start stop server - can anybody help? March 10, 2006, 12:32 pm
Re: Grant user right to remotely start stop server - can anybody help? March 10, 2006, 12:41 pm
Start and Stop Services Remotely Under Non-Administrative User April 26, 2006, 5:01 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap