|
Posted by Charles on May 25, 2007, 6:35 pm
Please log in for more thread options >
>> This is probably the stupidest question in the world, but here goes.
>>
>> I am attempting to follow KB Article 325349
>> few services on a 2003 Server. You know, stop / start / change the
>> startup type those types of things.
>>
>> Hopefully someone has done this before and will follow what I am trying
>> to do and be able to assist.
>>
>> I would like to use method 2 in the article.
>>
>> Steps 1-4 go OK and I have no problemm with.
>>
>> Step 5 I leave the default location and I give a name of test
>>
>> Step 6 I am not sure which template I should import. I am given a choice
>> of 6 or 7 but how do I know which is the 1 I need?
>
> The KB is munged. Where it says
> "To use security templates to change permissions on system services,
> create a security template. To do this, follow these steps: "
> it is mixing up what capabilities the difference snap-ins provide.
>
> One creates, edits, saves templates with the Security Templates snap-in.
> One uses an existing database, or a new one, with import of a template,
> optionally clearing the sdb before the import with the Sec Config/Analysis
> snap-in much as indicated.
> I use an MMC with both (and some others), define a new template (which
> thus has no settings to start with) or a file copy of one of my earlier
> templates,
> adjust the template as needed with the Sec Templates snap-in, save it,
> import
> it into the Sec Config/Analysis snap-in with clearing of the database,
> analyze,
> review the match / mismatch with the existing reference system, iterate,
> until
> the template meets the intended spec. This template may then be imported
> into a GPO for application.
>>
>> Just to see what happens I choose securews.inf
>>
>> Steps 7 & 8 are pretty standard and easy enough to follow
>>
>> Step 9 I double click the service I am interested in (An Oracle Service
>> in this case) and choose to define the policy and edit security and add
>> the user that I want to be able to manipulate the service into the ACL
>> along with all the default stuff. If I click apply and OK, I am told to
>> "investigate" and if I then view the security again I see everything that
>
> told investigate before having reanalyzed ??
>
>> was there is now gone and "Everyone" has full control.
>
> I would highly recommend that you define groups and use those,
> instead of granting to accounts.
> Be very careful about "all the default stuff" as it may not be what is
> the current ACLing for the service being adjusted.
> If you are doing this on an XP, be aware there is a known error.
> Do this on W2k3 or a patched XP.
> http://support.microsoft.com/kb/894794
>
>>
>> At this point I back out of everything so as not to commit any changes.
>>
>
> Actually, use a Apply does commit changes.
>
>> Bottom line is I need to allow my Oracle DBA to start / stop and change
>> the startup type of these 4 Oracle services only and I do not want to
>> make them an Admin. Making them power users does not allow them to
>> change the startup type.
>>
>> Any thoughts on how to get through the parts of the KB article I am
>> having problems with?
>
> If you want to use GPOs to control permissions to services, see
> http://support.microsoft.com/kb/324802
> If you want it templated, see my comments above.
> If you only want a one-off change of permissions for a service on a
> machine
> consider use of the sc command on that machine. At cmd prompt, the sc
> utility has internal syntax help - you would be using the sdset
> subcommand.
Thanks a bunch Roger. I was able to accomplish my mission with SC SDSET
I appreciate your help.
Now to start a new thread with my next stupid question
| 
XML Sitemap