RE: Remotely Manage Windows Service

Oh what an arse I am - you already said you read an MS article that told you
how to do that.

Can the user map to the IPC$ share using their credentials?

In local security settings, under user rights assignment, can the user
access this computer from across the network and log on locally?

If you look at the registry hive HKLM\System\Current Control Set\Services
does the user have permissions to read?

Sorry about the crappy post earlier. Last suggestion would be to enable
auditing on the server and look in the security event log after you get an
access denied - this should at least tell you the why's and wherefors...

"Ross" wrote:

Hi John

The way that Microsoft would recommend you do this is by using the Security
Templates snap-in for MMC. If you load the snap-in and navigate to System
Services, you will see that after you 'Define this policy setting in this
template' you can then set security on any Service that you like.

Services have ACLs just like other resources on your server. Obviously, it's
now just a case of adding your user to the ACL on the Service and then saving
the policy.

Now apply the policy using the Security Configuration and Analysis MMC
snap-in.

I haven't gone into the finer detail here of click this, then that, but I'm
sure you'll work it out from these pointers.

Let us know how you get on.

Kind Regards

Ross



"john d" wrote:

I've tried multiple other services using the correct syntax indicated, but no
luck. Any other way to do this, perhaps a batch file?

"Erik Szewczyk [MVP]" wrote:

Your first command should have been:
sc \\server start w3svc
(hence the syntax error)

I'd try labbing this to make sure it's not an issue with your deployment.
I'd also use a service without the complex dependancies for testing.

Good luck,
Erik
--
MCSE:Messaging 2003, MVP

This post is provided "AS IS" and without warranty, expressed or implied. In
no event shall I be liable for any damages resulting from the application of
the posted content


"john d" wrote:

Not much luck with the SC command and I can't seem to find much of any
resources regarding this issue on the web. The sc results are below and I
have replaced the server and service names.

C:\sc start \\server w3svc
[SC] StartService: OpenService FAILED 123:

The filename, directory name, or volume label syntax is incorrect.


C:\sc \\server query
[SC] OpenSCManager FAILED 5:

Access is denied.


C:\sc \\server getkeyname servicename
[SC] OpenSCManager FAILED 5:

Access is denied.


Any ideas? If not to resolve this, perhaps another method for allowing a
remote user to start/stop a service without being an administrator.


"Erik Szewczyk [MVP]" wrote:

It's been a while since I've played with granting non-admins privilages to
services however as memory serves they arent going to be able to do it with
the MMC since they only get privilages over the service (not the database).

Some things to check/try:
* Make sure you've applied the policy with the "Configure Computer Now"
command (otherwise it will get defined in the database but never applied to
the computer).
* I'd also try starting/stopping the service using the "SC" command to see
if it also gets access denied.

Good luck,
Erik
--
MCSE:Messaging 2003, MVP

This post is provided "AS IS" and without warranty, expressed or implied. In
no event shall I be liable for any damages resulting from the application of
the posted content


"john d" wrote:

I need to allow a user to remotely start and stop a single designated service
on a 2003 server machine without making them a local administrator.

I attempted to use a security template on the server to specify permissions
for this user for the desired service as per KB 325349,
http://support.microsoft.com/kb/325349/en-us. However, the user still cannot
start or stop the service using both the MMC or the netsvc utility. When
using MMC, the error is "Unable to open service control manager database on
\\server Error 5: Access is denied." When using the netsvc command, the
error is also "Access is denied."

Please note that if I make the user a local administrator, they can access
all services via the MMC for the server, but the netsvc command still says
"Access is Denied". On the other hand, if I log in as one of the domain
admin accounts, which is also a member of the local administrator group, and
run the netsvc command, I can successfully start and stop the service.

At this point I am stuck and either need to resolve one of the existing
issues with MMC or NETSVC or come up with an alternate solution.


.

Relevant Pages

  • RE: Remotely Manage Windows Service
    ... The way that Microsoft would recommend you do this is by using the Security ... Services have ACLs just like other resources on your server. ... Now apply the policy using the Security Configuration and Analysis MMC ... all services via the MMC for the server, but the netsvc command still says ...
    (microsoft.public.windows.server.general)
  • Catalog Error
    ... I'm very new at this and have no choice but to learn Server 2003 on my own. ... In my MMC I can add my server under Component Services But when I click on ... Please tell me what security I'm missing. ...
    (microsoft.public.inetserver.iis)
  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)