|
Posted by Brian Stoop on May 18, 2009, 1:46 pm
Please log in for more thread options
I've joined Windows 2008 Server to Windows 2003 domain and installed a
Windows Service, that logons on as a domain account in Domain Administrators
group.
On Windows 2003 Servers, all works fine.
On the 2008 Server, the service cannot contact the Eventlog, cannot open
keys in the registry ... nothing is allowed.
If I log into the 2008 Server as that domain account, and I can access
Registy / Event log, it works. Why does it fail for the account when used
by the Windows Service ?
Thanks, Brian
|
|
Posted by Meinolf Weber [MVP-DS] on May 19, 2009, 2:06 am
Please log in for more thread options
Hello Brian,
Even a domain admin on 2008 machines is restricted, that belong's to UAC.
I asume that will be the reason when running as a service, that some permissions
are needed, one i can think of is "Logon as a batch job".
Additional it can belong to UAC(disabling is the badest option in my opinion)
GPO setting:
Computer Configuration, Windows Settings Security Settings, Local Policies,
Security Options, in the right pane you will find some UAC options.
Check:
- User Account Control: Behavior of the elevation prompt for administrators
- User Account Control: Detect application installations and prompt for elevation
- User Account Control: Run all administrators in Admin Approval Mode
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
show/hide quoted text
> I've joined Windows 2008 Server to Windows 2003 domain and installed a
> Windows Service, that logons on as a domain account in Domain
> Administrators group.
>
> On Windows 2003 Servers, all works fine.
> On the 2008 Server, the service cannot contact the Eventlog, cannot
> open
> keys in the registry ... nothing is allowed.
> If I log into the 2008 Server as that domain account, and I can access
> Registy / Event log, it works. Why does it fail for the account when
> used by the Windows Service ?
>
> Thanks, Brian
>
|
|
Posted by Brian Stoop on May 19, 2009, 12:00 pm
Please log in for more thread options Hi,
The Domain Server is Windows 2003. When I run the Group Policy editor, there
are no UAC settings visible ?
I run Group Policy Editor on the Windows 2008 member sever. I have tried all
the settings you indicated, and have run gpupdate also, but the problem
persists.
Is there anything else I could try ?
thanks, B
show/hide quoted text
> Hello Brian,
> Even a domain admin on 2008 machines is restricted, that belong's to UAC.
> I asume that will be the reason when running as a service, that some
> permissions are needed, one i can think of is "Logon as a batch job".
> Additional it can belong to UAC(disabling is the badest option in my
> opinion) GPO setting:
> Computer Configuration, Windows Settings Security Settings, Local
> Policies, Security Options, in the right pane you will find some UAC
> options.
> Check:
> - User Account Control: Behavior of the elevation prompt for
> administrators
> - User Account Control: Detect application installations and prompt for
> elevation
> - User Account Control: Run all administrators in Admin Approval Mode
> Best regards
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> I've joined Windows 2008 Server to Windows 2003 domain and installed a
>> Windows Service, that logons on as a domain account in Domain
>> Administrators group.
>> On Windows 2003 Servers, all works fine.
>> On the 2008 Server, the service cannot contact the Eventlog, cannot
>> open
>> keys in the registry ... nothing is allowed.
>> If I log into the 2008 Server as that domain account, and I can access
>> Registy / Event log, it works. Why does it fail for the account when
>> used by the Windows Service ?
>> Thanks, Brian
>
|
|
Posted by Brian Stoop on May 19, 2009, 7:34 pm
Please log in for more thread options I disabled UAC and the application is now working.
Thanks, for you help, Brian
show/hide quoted text
> Hi,
> The Domain Server is Windows 2003. When I run the Group Policy editor,
> there are no UAC settings visible ?
> I run Group Policy Editor on the Windows 2008 member sever. I have tried
> all the settings you indicated, and have run gpupdate also, but the
> problem persists.
> Is there anything else I could try ?
> thanks, B
>> Hello Brian,
>> Even a domain admin on 2008 machines is restricted, that belong's to UAC.
>> I asume that will be the reason when running as a service, that some
>> permissions are needed, one i can think of is "Logon as a batch job".
>> Additional it can belong to UAC(disabling is the badest option in my
>> opinion) GPO setting:
>> Computer Configuration, Windows Settings Security Settings, Local
>> Policies, Security Options, in the right pane you will find some UAC
>> options.
>> Check:
>> - User Account Control: Behavior of the elevation prompt for
>> administrators
>> - User Account Control: Detect application installations and prompt for
>> elevation
>> - User Account Control: Run all administrators in Admin Approval Mode
>> Best regards
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've joined Windows 2008 Server to Windows 2003 domain and installed a
>>> Windows Service, that logons on as a domain account in Domain
>>> Administrators group.
>>> On Windows 2003 Servers, all works fine.
>>> On the 2008 Server, the service cannot contact the Eventlog, cannot
>>> open
>>> keys in the registry ... nothing is allowed.
>>> If I log into the 2008 Server as that domain account, and I can access
>>> Registy / Event log, it works. Why does it fail for the account when
>>> used by the Windows Service ?
>>> Thanks, Brian
>
|
|
Posted by Meinolf Weber [MVP-DS] on May 20, 2009, 1:37 am
Please log in for more thread options Hello Brian,
Policies for 2008/vista you have to configire from 2008/Vista with RSAT
installed.
So install RSAT from the server manager, features and create with that a
GPO in the domain for your needs.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
show/hide quoted text
> Hi,
>
> The Domain Server is Windows 2003. When I run the Group Policy editor,
> there are no UAC settings visible ?
>
> I run Group Policy Editor on the Windows 2008 member sever. I have
> tried all the settings you indicated, and have run gpupdate also, but
> the problem persists.
>
> Is there anything else I could try ?
>
> thanks, B
>
>
>> Hello Brian,
>>
>> Even a domain admin on 2008 machines is restricted, that belong's to
>> UAC. I asume that will be the reason when running as a service, that
>> some permissions are needed, one i can think of is "Logon as a batch
>> job".
>>
>> Additional it can belong to UAC(disabling is the badest option in my
>> opinion) GPO setting:
>> Computer Configuration, Windows Settings Security Settings, Local
>> Policies, Security Options, in the right pane you will find some UAC
>> options.
>> Check:
>> - User Account Control: Behavior of the elevation prompt for
>> administrators
>> - User Account Control: Detect application installations and prompt
>> for
>> elevation
>> - User Account Control: Run all administrators in Admin Approval Mode
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've joined Windows 2008 Server to Windows 2003 domain and installed
>>> a Windows Service, that logons on as a domain account in Domain
>>> Administrators group.
>>>
>>> On Windows 2003 Servers, all works fine.
>>> On the 2008 Server, the service cannot contact the Eventlog, cannot
>>> open
>>> keys in the registry ... nothing is allowed.
>>> If I log into the 2008 Server as that domain account, and I can
>>> access
>>> Registy / Event log, it works. Why does it fail for the account
>>> when
>>> used by the Windows Service ?
>>> Thanks, Brian
>>>
|
| Similar Threads | Posted | | The security of this directory server can be significantly enhanced - windows 2008 | June 12, 2008, 7:32 pm |
| Windows 2008 CA can't issue to Windows 2003 server | June 25, 2008, 11:53 am |
| RDP over VPN to Windows Server 2008 | November 5, 2008, 11:46 am |
| Windows Server 2008 UAC | April 1, 2009, 8:01 am |
| RDP on Windows 2008 Server | July 14, 2009, 10:39 am |
| Re: Windows 2008 dcom security problems | August 29, 2009, 12:31 am |
| Problem in Windows server 2008 R2 | January 17, 2010, 2:31 am |
| Access Denied Windows 2008 Changing Security | August 13, 2009, 2:06 pm |
| Re: Setting up LDAPs on Windows Server 2008 | March 5, 2009, 5:04 pm |
| Can not get machine certificate from CA on Windows Server 2008 | March 28, 2009, 5:57 am |
|
XML Sitemap
> Windows Service, that logons on as a domain account in Domain
> Administrators group.
>
> On Windows 2003 Servers, all works fine.
> On the 2008 Server, the service cannot contact the Eventlog, cannot
> open
> keys in the registry ... nothing is allowed.
> If I log into the 2008 Server as that domain account, and I can access
> Registy / Event log, it works. Why does it fail for the account when
> used by the Windows Service ?
>
> Thanks, Brian
>