Click here to get back home

Win2003 SP1 remotely restart service
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Win2003 SP1 remotely restart service PJ 06-14-2005
Posted by PJ on June 14, 2005, 1:02 pm
Please log in for more thread options
 Hi all,

Have a problem after updating Win2003 to SP1.
On one of our servers I enable for one of users (not Admin on server) to
restart IISADMIN service remotely (user can do this ftom his workstation
using Computer Management MMC concole). But after upgrading server to SP1
this functionality broken - when user start Computer Management MMC on his
computer and connect to server, he can not enumerate services (Access
Denied" error).

As I found - Win2003 SP1 changed SCM permissions :((

How cam be this fixed.

Thank You.

..




Posted by Joe Richards [MVP] on June 15, 2005, 10:57 am
Please log in for more thread options
 You can do two things.

The first is use a tool that doesn't require enumerating the services in order
to manage them. This tool will also have to properly open the SCManager to allow
for this. Two tools fit this category to my knowledge right now

sc.exe that comes with Windows Server 2003 SP1
svcutil - http://www.joeware.net/win/free/tools/svcutil.htm


alternatively, you can reopen up the enumeration permissions for authenticated
users by modifying the ACL on the SCManager. For more info, please see

http://blog.joeware.net/2005/06/12/38/

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


PJ wrote:
> Hi all,
>
> Have a problem after updating Win2003 to SP1.
> On one of our servers I enable for one of users (not Admin on server) to
> restart IISADMIN service remotely (user can do this ftom his workstation
> using Computer Management MMC concole). But after upgrading server to SP1
> this functionality broken - when user start Computer Management MMC on his
> computer and connect to server, he can not enumerate services (Access
> Denied" error).
>
> As I found - Win2003 SP1 changed SCM permissions :((
>
> How cam be this fixed.
>
> Thank You.
>
> .
>
>


Posted by Grant on June 23, 2005, 2:31 pm
Please log in for more thread options
Hi Joe, I read your blog but am still confised, how would I enable a
standard domain user to restart 'Myservice' which is located on the domain
controller?

Could you provide an example of how you would acheive this?

Thanks for your help,
Grant


> You can do two things.
>
> The first is use a tool that doesn't require enumerating the services in
> order to manage them. This tool will also have to properly open the
> SCManager to allow for this. Two tools fit this category to my knowledge
> right now
>
> sc.exe that comes with Windows Server 2003 SP1
> svcutil - http://www.joeware.net/win/free/tools/svcutil.htm
>
>
> alternatively, you can reopen up the enumeration permissions for
> authenticated users by modifying the ACL on the SCManager. For more info,
> please see
>
> http://blog.joeware.net/2005/06/12/38/
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> PJ wrote:
>> Hi all,
>>
>> Have a problem after updating Win2003 to SP1.
>> On one of our servers I enable for one of users (not Admin on server) to
>> restart IISADMIN service remotely (user can do this ftom his workstation
>> using Computer Management MMC concole). But after upgrading server to SP1
>> this functionality broken - when user start Computer Management MMC on
>> his computer and connect to server, he can not enumerate services (Access
>> Denied" error).
>>
>> As I found - Win2003 SP1 changed SCM permissions :((
>>
>> How cam be this fixed.
>>
>> Thank You.
>>
>> .




Posted by Joe Richards [MVP] on June 25, 2005, 7:38 pm
Please log in for more thread options
You would need to create an SDDL SD to apply with SC. Read about the SDDL format
here

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_descriptor_definition_language.asp

To go back to the old ACL in RTM, the SDDL string is

D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Grant wrote:
> Hi Joe, I read your blog but am still confised, how would I enable a
> standard domain user to restart 'Myservice' which is located on the domain
> controller?
>
> Could you provide an example of how you would acheive this?
>
> Thanks for your help,
> Grant
>
>
>
>>You can do two things.
>>
>>The first is use a tool that doesn't require enumerating the services in
>>order to manage them. This tool will also have to properly open the
>>SCManager to allow for this. Two tools fit this category to my knowledge
>>right now
>>
>>sc.exe that comes with Windows Server 2003 SP1
>>svcutil - http://www.joeware.net/win/free/tools/svcutil.htm
>>
>>
>>alternatively, you can reopen up the enumeration permissions for
>>authenticated users by modifying the ACL on the SCManager. For more info,
>>please see
>>
>>http://blog.joeware.net/2005/06/12/38/
>>
>> joe
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>PJ wrote:
>>
>>>Hi all,
>>>
>>>Have a problem after updating Win2003 to SP1.
>>>On one of our servers I enable for one of users (not Admin on server) to
>>>restart IISADMIN service remotely (user can do this ftom his workstation
>>>using Computer Management MMC concole). But after upgrading server to SP1
>>>this functionality broken - when user start Computer Management MMC on
>>>his computer and connect to server, he can not enumerate services (Access
>>>Denied" error).
>>>
>>>As I found - Win2003 SP1 changed SCM permissions :((
>>>
>>>How cam be this fixed.
>>>
>>>Thank You.
>>>
>>>.
>
>
>


Similar ThreadsPosted
Allow user to restart service remotely July 27, 2007, 11:28 pm
Service writing on Win2003 remotely. October 26, 2007, 8:59 am
Restart service permission June 8, 2005, 3:34 pm
Re: Previous post should say Grant user right to remotely start stop Service - can anybody help? March 10, 2006, 1:04 pm
Password Policy require server restart March 11, 2006, 9:37 am
remotely administering Bastion servers April 2, 2007, 6:34 pm
Remotely query local policies January 10, 2008, 4:42 pm
How to allow non-admin to run scheduled tasks remotely? July 24, 2008, 1:18 pm
Error in my security log when attempting to browse site remotely September 6, 2005, 3:20 pm
Re: Grant user right to remotely start stop server - can anybody help? March 10, 2006, 12:32 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap