FTP is an IIS component, it uses a local logon so requires
local logon rights. This is something that has always irked me about IIS.
As for stopping/starting services. If you have granted the
proper ACL to the service either via subinacl or gpo a normal user CAN restart
services remotely with SC or SVCUTIL or other tools that properly implement the
SCM commands. Now there is a possible exeption here. With Windows Server 2003
SP1 Microsoft was sneaky and changed the SCM ACL so that it can be
manipulated like the normal service ACLs. Previously this wasn't possible.
Not only did they do that, but they locked down the enumeration permissions for
services remotely to administrators, though locally a normal user can enumerate.
Unfortunately they, to my knowledge, didn't give a tool that I can find to
undo this or at least open it up a little and hence a lot of people who
implemented basic service monitoring with normal IDs (LUA principal) are now all
breaking and simple delegation of service stop/start remotely is broken for a
lot of people. I am looking into writing a tool to be able to modify this ACL, I
was hoping that MS would announce something though. If you are working with 2K3
SP1, this could be your issue.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Saturday, June 11, 2005 4:13 PM
To: [email protected]; [email protected]
Subject: RE : [ActiveDir] User privilege on Server.
Hi joe ;)
Endeed my question was rather
starting/stopping a services with a command line.
I want a user with non admin privilege to
do a net start "service name" remotly from his workstation by a command
line.
By default, i authorized only Local Admin
Group on my server to logon locally. With this configuration, the user could not
start remotly the service with his credentials and the following error appeared
"AccesDenied" :( . BUT, when i give the user the privilege to log on
locally, the user can start the service !!??
The same error appears with my FTP server when users try to connect
via ftp.. and for this server, I give logon locally right to "authenticatde
users" (tjis only for intranet acces and public access)
Cheers,
Yann
De: [EMAIL PROTECTED] de
la part de joe
Date: sam. 11/06/2005 18:44
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
Date: sam. 11/06/2005 18:44
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
> launch a
command
What specifically do you mean by this? Do you mean
launch a console based command or something that runs locally on the server? If
so, what for? This could easily be a security risk.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Saturday, June 11, 2005 7:55 AM
To: [email protected]
Subject: [ActiveDir] User privilege on Server.
Hi :)
I'd like to give to a non-admin-user
the right to start a service, launch a command, etc.. on my file server
without giving him privilege admin (admin,serverop, backupop right) on my
file server nor using the runas command.
Is this possible ?
Regards,
Yann
