RE: Remotely Manage Windows Service

Hi John

The way that Microsoft would recommend you do this is by using the Security
Templates snap-in for MMC. If you load the snap-in and navigate to System
Services, you will see that after you 'Define this policy setting in this
template' you can then set security on any Service that you like.

Services have ACLs just like other resources on your server. Obviously, it's
now just a case of adding your user to the ACL on the Service and then saving
the policy.

Now apply the policy using the Security Configuration and Analysis MMC
snap-in.

I haven't gone into the finer detail here of click this, then that, but I'm
sure you'll work it out from these pointers.

Let us know how you get on.

Kind Regards

Ross



"john d" wrote:

I've tried multiple other services using the correct syntax indicated, but no
luck. Any other way to do this, perhaps a batch file?

"Erik Szewczyk [MVP]" wrote:

Your first command should have been:
sc \\server start w3svc
(hence the syntax error)

I'd try labbing this to make sure it's not an issue with your deployment.
I'd also use a service without the complex dependancies for testing.

Good luck,
Erik
--
MCSE:Messaging 2003, MVP

This post is provided "AS IS" and without warranty, expressed or implied. In
no event shall I be liable for any damages resulting from the application of
the posted content


"john d" wrote:

Not much luck with the SC command and I can't seem to find much of any
resources regarding this issue on the web. The sc results are below and I
have replaced the server and service names.

C:\sc start \\server w3svc
[SC] StartService: OpenService FAILED 123:

The filename, directory name, or volume label syntax is incorrect.


C:\sc \\server query
[SC] OpenSCManager FAILED 5:

Access is denied.


C:\sc \\server getkeyname servicename
[SC] OpenSCManager FAILED 5:

Access is denied.


Any ideas? If not to resolve this, perhaps another method for allowing a
remote user to start/stop a service without being an administrator.


"Erik Szewczyk [MVP]" wrote:

It's been a while since I've played with granting non-admins privilages to
services however as memory serves they arent going to be able to do it with
the MMC since they only get privilages over the service (not the database).

Some things to check/try:
* Make sure you've applied the policy with the "Configure Computer Now"
command (otherwise it will get defined in the database but never applied to
the computer).
* I'd also try starting/stopping the service using the "SC" command to see
if it also gets access denied.

Good luck,
Erik
--
MCSE:Messaging 2003, MVP

This post is provided "AS IS" and without warranty, expressed or implied. In
no event shall I be liable for any damages resulting from the application of
the posted content


"john d" wrote:

I need to allow a user to remotely start and stop a single designated service
on a 2003 server machine without making them a local administrator.

I attempted to use a security template on the server to specify permissions
for this user for the desired service as per KB 325349,
http://support.microsoft.com/kb/325349/en-us. However, the user still cannot
start or stop the service using both the MMC or the netsvc utility. When
using MMC, the error is "Unable to open service control manager database on
\\server Error 5: Access is denied." When using the netsvc command, the
error is also "Access is denied."

Please note that if I make the user a local administrator, they can access
all services via the MMC for the server, but the netsvc command still says
"Access is Denied". On the other hand, if I log in as one of the domain
admin accounts, which is also a member of the local administrator group, and
run the netsvc command, I can successfully start and stop the service.

At this point I am stuck and either need to resolve one of the existing
issues with MMC or NETSVC or come up with an alternate solution.


.

Relevant Pages

  • RE: Remotely Manage Windows Service
    ... In local security settings, under user rights assignment, can the user ... Services have ACLs just like other resources on your server. ... Now apply the policy using the Security Configuration and Analysis MMC ... all services via the MMC for the server, but the netsvc command still says ...
    (microsoft.public.windows.server.general)
  • Re: Security Config and Analysis issue
    ... I have member servers that we want to roll out a custom security template ... We created the template and verified the settings. ... when we re analyze we see a green check mark but when we go to the ... (not in the mmc), we still see power users and others that should have ...
    (microsoft.public.windows.server.security)
  • Re: Giving users permission to an MMC
    ... > Right click on .msc file, security and sharing, tab security, add user ... > CONFIDENTIALITY NOTICE ... > above and may contain confidential information. ... >> I have place the MMC on a share on the network and I would like to enable ...
    (microsoft.public.windows.server.security)
  • Re: problems with admin tools
    ... That simply doing a start / run of mmc does this is some ... received inherited permissions from Windows\System32 ... Restore XP to installation Security Defaults ... >>Microsoft MVP (Windows Server System: ...
    (microsoft.public.windowsxp.security_admin)
  • Catalog Error
    ... I'm very new at this and have no choice but to learn Server 2003 on my own. ... In my MMC I can add my server under Component Services But when I click on ... Please tell me what security I'm missing. ...
    (microsoft.public.inetserver.iis)