I will check your blog and
SvcUtil right now :)
Thanks for all your feedback and your
work.
Cheers,
Yann
De: [EMAIL PROTECTED] de la part de joe
Date: dim. 12/06/2005 18:19
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
Yann
De: [EMAIL PROTECTED] de la part de joe
Date: dim. 12/06/2005 18:19
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
I have updated SvcUtil to work within these new confines.
If you know the service name, you can control it and view its status remotely
with SvcUtil now.
Also I determined that the version of SC that comes with
SP1 will also do this. I am not sure if you can copy that file to non-SP1
machines in terms of licensing but I will say that theoretically you can do this
and it will work.
I put out a little blog entry on this
If you have any tools that you used to previously use to do
this stopping/starting/monitoring of services remotely from non-admin accounts
that no longer work, contact the vendor and let them know they need to correct
the issue and that the correction is not to make the userid an
Admin.
I am going to look at putting something together to modify
that ACL, no promises on time frame. It could be this afternoon or it could
three months from now depending on what I feel like doing and how hard it will
be to implement something to do this.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Sunday, June 12, 2005 8:46 AM
To: [email protected]; [email protected]
Subject: RE : [ActiveDir] User privilege on Server.
Joe, that exactly what i am
experiencing since i installed windows 2003 sp1 (did I mention my OS version and
Sp ? oupss... sorry :)). I was exciting about new security enhancements of sp1.
BUT I've lost functionnality i've configured such as starts remotly services but
a nonadmin user... :(
Since I understand that MS hardened their
OS, I am a bit despited that it did without alert us that sp1 will change this
or these previous conf i've made before.
We can imagine such a process of
installing sp1. The sp1 install wizard will check the actual conf. and
compare to the "after aplying sp1". The wizard will then generate a delta
summary telling us what sp1 will change and where in the
registry.
But, That's me..
Thank U y much for your
feedback
"I am looking into
writing a tool to be able to modify this ACL" -> and plesae let
us know when your tool will be available, I think this will be very helpfull
:o)
Cheers,
Yann
De: [EMAIL PROTECTED] de
la part de joe
Date: dim. 12/06/2005 02:14
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
Date: dim. 12/06/2005 02:14
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
FTP is an IIS component, it uses a local logon so requires
local logon rights. This is something that has always irked me about IIS.
As for stopping/starting services. If you have granted the
proper ACL to the service either via subinacl or gpo a normal user CAN restart
services remotely with SC or SVCUTIL or other tools that properly implement the
SCM commands. Now there is a possible exeption here. With Windows Server 2003
SP1 Microsoft was sneaky and changed the SCM ACL so that it can be
manipulated like the normal service ACLs. Previously this wasn't possible.
Not only did they do that, but they locked down the enumeration permissions for
services remotely to administrators, though locally a normal user can enumerate.
Unfortunately they, to my knowledge, didn't give a tool that I can find to
undo this or at least open it up a little and hence a lot of people who
implemented basic service monitoring with normal IDs (LUA principal) are now all
breaking and simple delegation of service stop/start remotely is broken for a
lot of people. I am looking into writing a tool to be able to modify this ACL, I
was hoping that MS would announce something though. If you are working with 2K3
SP1, this could be your issue.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Saturday, June 11, 2005 4:13 PM
To: [email protected]; [email protected]
Subject: RE : [ActiveDir] User privilege on Server.
Hi joe ;)
Endeed my question was rather
starting/stopping a services with a command line.
I want a user with non admin privilege to
do a net start "service name" remotly from his workstation by a command
line.
By default, i authorized only Local Admin
Group on my server to logon locally. With this configuration, the user could not
start remotly the service with his credentials and the following error appeared
"AccesDenied" :( . BUT, when i give the user the privilege to log on
locally, the user can start the service !!??
The same error appears with my FTP server when users try to connect
via ftp.. and for this server, I give logon locally right to "authenticatde
users" (tjis only for intranet acces and public access)
Cheers,
Yann
De: [EMAIL PROTECTED] de
la part de joe
Date: sam. 11/06/2005 18:44
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
Date: sam. 11/06/2005 18:44
�: [email protected]
Objet : RE: [ActiveDir] User privilege on Server.
> launch a
command
What specifically do you mean by this? Do you mean
launch a console based command or something that runs locally on the server? If
so, what for? This could easily be a security risk.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Saturday, June 11, 2005 7:55 AM
To: [email protected]
Subject: [ActiveDir] User privilege on Server.
Hi :)
I'd like to give to a non-admin-user
the right to start a service, launch a command, etc.. on my file server
without giving him privilege admin (admin,serverop, backupop right) on my
file server nor using the runas command.
Is this possible ?
Regards,
Yann
