RE: Windows 2003 SP1 problem

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Yes. I put in a tech support call in with Microsoft and had them confirm
that there was indeed a change made. They confirmed that SQL DMO calls to
the service manager will fail if the user is not a system administrator on
the Server. The two work arounds are to:
1.) add the users to the system administrators group or
2.)to change the SC manager permissions back to the original RTM settings.
Below is and excerpt of an email that Microsoft sent me after the incident
was closed:

Email Quote:
"
A brief explanation of the command that we used yesterday:

To display a service’s security descriptor using sddl:

C:\>sc sdshow scmanager

This is SP1 info
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

This is the RTM info:

D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)


Comparing the 2 show that in Windows 2003 RTM version, Authenticated users
have read and write permission. In SP1 they do not have this permission. They
do not even have LC (List Contents) permission on scmanager. The requisite
permissions were added to scmanager for Authenticated Users with the
following command:

SC.EXE sdset scmanager
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)


This adds the following permissions for authenticated users:

List Contents
Read All Properties
Read Permissions


This enabled sufficient access to the service control manager for
authenticated users.







"


"cfsHighland" wrote:

> Yes, I found the article and am having the same problem. I am not sure how
> to change permissions. Have you tried?
>
> "Ripul" wrote:
>
> > Hi,
> >
> > After I installed the SP1 on Windows 2003 Standard edition, I cannot connect
> > to the Service control manager database remotely. If I try to connect to it,
> > it gives me an Access denied error.
> >
> > I removed SP1 from Windows 2003 and I am able to connect to the service
> > control manager database. I tried running the SCW utility but it brings no
> > difference.
> >
> > Can anyone help me connecting to the service control manager remotely on a
> > windows 2003 box with SP1 installed?
> >
> > Thanks
> >
> >
.

Relevant Pages

  • RE: Windows 2003 SP1 problem
    ... > 2.)to change the SC manager permissions back to the original RTM settings. ... > Comparing the 2 show that in Windows 2003 RTM version, Authenticated users ... > do not even have LC permission on scmanager. ... >>> to the Service control manager database remotely. ...
    (microsoft.public.windows.server.general)
  • Re: w2k3 sp1 - now "unable to open service control manager databas
    ... I found another thread under Windows Server 2003 that helped, ... service control manager database did change with SP1. ... Comparing the 2 show that in Windows 2003 RTM version, Authenticated users ... permissions were added to scmanager for Authenticated Users with the ...
    (microsoft.public.win2000.security)
  • Microsoft Secure DNS and Authenticated Users group interdependencies
    ... I would really appreciate anyone who considers themselves DNS experts to take a good look at this post. ... Only if Authenticated Users group has a write access will the record update. ... If the a record is set with default permissions and Authenticated Users has elevated permissions set, after the client's successfully updates the record, the client is added to the ACE with WRITE permissions and Authenticated Users permissions get reset. ...
    (microsoft.public.windows.server.dns)
  • Re: Prevent "Authenticated Users" from browsing Active Directory
    ... > properties/security and remove everyone and authenticated users from the ... > permissions - that is why I recommend removing the whole group. ... > enterprise administrator, schema administrator, administrators, and ...
    (microsoft.public.win2000.security)
  • Re: ActiveDirectoryMembershipProvider woes
    ... Domain Users are indeed members of the Pre-Windows 2000 Compatible Access group as are Authenticated Users and Exchange Domain Servers. ... many cases permissions are delegated to the Pre-Win2K group but in some domains the Domain Users group is not included in this group so normal users only end up getting the permissions that are delegated to Authenticated Users instead. ... Co-author of "The .NET Developer's Guide to Directory Services ... "Thomas" wrote in message ...
    (microsoft.public.dotnet.framework.aspnet.security)