Re: Trying to configure group policies on a stand alone server.

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

On May 13, 10:32 pm, "Ace Fekay [MVP]" <PleaseAs...@xxxxxxxxxxxxxx>
wrote:
Innews:1179109518.871016.44580@xxxxxxxxxxxxxxxxxxxxxxxxxxxx,
ttysn...@xxxxxxxxx <ttysn...@xxxxxxxxx> typed:



I'm trying to run a service as a user account on a stand-alone Win2k
server. When I try to run the service using 'net start srvname' i get:

"System error 5 has occurred.

Access is denied."

I quick google lead me to this KB article that i'm 90% sure is my
current problem:http://support.microsoft.com/?kbid=256299

It's resolution involves using 'Active Directory Users and Computers'
to reconfigure the permissions for the user and/or its group. When I
try to run dsa.msc I get an error message, 'To manage users and groups
on this computer, use local users and groups. To manage users, groups
and computers in a domain, log on as a user with Domain Administration
rights.'

'Local Users and Groups' doesn't seem to have any advanced permissions
tabs or ability to do much except add/remove users and change their
groups.

So my question is how do i edit group/user policies and add 'service
read' privileges to a user/group on a server without a domain
controller?

Thanks for any info, It's probably a simple answer involving a non-
default tool but I couldn't find anything on google.
-Zim

It really doesn't work that way with stand alone machines. However you can
get into the machine's local GP by typing 'gpedit.msc' and apply local
policy settings to local users only on a stand alone machine. The local
security policy can be accessed by going to Start, Administrative Tools,
Local Security Policy.

What type of settings were you looking for or expecting in a local user
properties compared to a domain user properties?

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet Newshttp://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

According to http://support.microsoft.com/?kbid=256299, "When you add
a user through Group Policy Editor in the System Service Security
Policy, the default permissions are start, stop, and pause.", the
problem I'm having is caused by, "This behavior occurs because you
need the following permissions to open the properties of a service,
and to stop, start, or pause a service: Read, Stop, Start, and Pause."

So If I'm understanding it right I need to give the user or the user's
group the read service permission for it to be able to start/stop a
service. The KB article only tells of one way to do this through
'Active Directory Users and Computers.'

So what I'm looking for is how to give a user or a group the read
service permission without using 'Active Directory Users and
Computers'.

.

Relevant Pages

  • Re: [RFC][PATCH] Privilege dropping security module
    ... dpriv.c contains the struct security_operations hooks for dpriv. ... You're masking file permissions. ... And stick with your namespace, ... * Parse policy lines one at a time. ...
    (Linux-Kernel)
  • [RFC][PATCH] Privilege dropping security module
    ... dpriv.c contains the struct security_operations hooks for dpriv. ... * under the terms of the GNU General Public License as published by the Free ... * Parse policy lines one at a time. ... * Open file descriptors and their implied permissions based on @policy ...
    (Linux-Kernel)
  • Re: C#.NET app to run on Win 2003 from another Win2003 on the local net?
    ... Here is the exception dump: ... Policy Exception: Required permissions cannot be acquired. ... Win2003 (file server) doesn't even have the framework installed at all. ...
    (microsoft.public.dotnet.security)
  • Re: Folder security by GPO
    ... If file system does not work then you could use a Group ... Policy computer startup script using cacls to assign permissions for the ... > file system security through Group Policy in the Computer Config - Windows ... I want to set a policy such that Server A gets the policy ...
    (microsoft.public.win2000.security)
  • RE: You do not have permission to update Windows 2000 (or Windows XP)
    ... I initially had the same problem and discovered it was a group policy on the ... Administrator permissions set. ... my updates with no problem and it fixed a problem i was having with the ... > from the server and I still have haven't received any replies. ...
    (microsoft.public.windowsupdate)