Click here to get back home

start/stop service as user from task scheduler
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
start/stop service as user from task scheduler Thomas Kratz 04-03-2006
Get Chitika Premium
Posted by Thomas Kratz on April 3, 2006, 11:25 am
Please log in for more thread options
 Hi,

I am unsuccessfully trying to start/stop a service from the task scheduler
under a "normal" user account (the same domain user account the service
runs as).

Generally, I seem to have setup things correctly, as starting a command
shell as the user and issuing a "net start <service>" works as expected.

However running the same command as a scheduled task fails with net.exe
giving the following message:

System error 5 has occurred.
Access is denied.

I have enabled all possible audit settings and found only one error
message (Event-Id 560) stating:

Object Open:
        Object Server:        SC Manager
        Object Type:        SC_MANAGER OBJECT
        Object Name:        ServicesActive
        Handle ID:        -
        Operation ID:        
        Process ID:        552
        Image File Name:        C:\WINDOWS\system32\services.exe
        Primary User Name:        AMST01$
        Primary Domain:        LRP-HZ
        Primary Logon ID:        (0x0,0x3E7)
        Client User Name:        amst01_xe
        Client Domain:        LRP-HZ
        Client Logon ID:        (0x0,0x9A9D3)
        Accesses:        READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
        Privileges:        -
        Restricted Sid Count:        0
        Access Mask:        0x20015

It seems that a user who is logged on via the task manager, doesn't get
the same privileges as if he was logged on interactively.

Making the user a member of the local administrator group works, but that
is exactly the thing I want to avoid.

I there a way to fix this?

TIA,
Thomas




Posted by Thomas Kratz on April 3, 2006, 11:32 am
Please log in for more thread options
 Oh, I forgot to mention this is on an Windows 2003 SP1 server with the
most recent patches applied

Thomas

Posted by Paul Adare on April 3, 2006, 11:43 am
Please log in for more thread options
microsoft.public.windows.server.security news group, Thomas Kratz

> I am unsuccessfully trying to start/stop a service from the task scheduler
> under a "normal" user account (the same domain user account the service
> runs as).
>
> Generally, I seem to have setup things correctly, as starting a command
> shell as the user and issuing a "net start <service>" works as expected.
>

The net.exe command invokes the command prompt when called. In Windows
Server 2003, the command prompt, cmd.exe, has been locked down.he
special group Interactive has permissions on cmd.exe which explains why
you are able to do this while logged on as the user in question. You'll
need to grant the user, or a group the user belongs to Read, Read and
Execute permissions on cmd.exe.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

Posted by Thomas Kratz on April 3, 2006, 11:59 am
Please log in for more thread options
Paul Adare wrote:
> microsoft.public.windows.server.security news group, Thomas Kratz
>
>
>>I am unsuccessfully trying to start/stop a service from the task scheduler
>>under a "normal" user account (the same domain user account the service
>>runs as).
>>
>>Generally, I seem to have setup things correctly, as starting a command
>>shell as the user and issuing a "net start <service>" works as expected.
>>
>
>
> The net.exe command invokes the command prompt when called. In Windows
> Server 2003, the command prompt, cmd.exe, has been locked down.he
> special group Interactive has permissions on cmd.exe which explains why
> you are able to do this while logged on as the user in question. You'll
> need to grant the user, or a group the user belongs to Read, Read and
> Execute permissions on cmd.exe.
>

Been there, done that :-) I have granted the needed rights to the special
group BATCH.

cmd.exe is invoked correctly and I get the access denied error message
from net.exe itself.

I checked it with "net stop w32time" as the same user which correctly gives:

System error 5 has occurred.

Access is denied.

Thomas

Posted by Thomas Kratz on April 3, 2006, 12:46 pm
Please log in for more thread options
Simply replacing "net start" with "sc start" solves the problem.

I guess net.exe is trying to use some lanmanager functionality to get the
credentials for the call to the service manager or something like that.
Who knows without the sources?

However: problem solved.

Thomas

Similar ThreadsPosted
Event 529, User Name: SERVICE February 13, 2006, 3:41 pm
restricting user to control of one service? April 11, 2006, 5:58 pm
Allow user to restart service remotely July 27, 2007, 11:28 pm
Setting Permission to user to start a service October 19, 2006, 4:11 am
Schedule a task December 19, 2005, 9:56 am
scheduled task June 14, 2007, 9:26 am
Passing user ID crenditials along the path within web service call February 26, 2007, 7:51 am
set up a scheduled task on windows 2003 September 14, 2006, 3:30 am
Re: Previous post should say Grant user right to remotely start stop Service - can anybody help? March 10, 2006, 1:04 pm
allow user to Start, Stop and Pause a Windows Service on a Workgroup Computer December 12, 2006, 10:18 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap