SC.EXE can reset the perms on the SCM See http://blogs.msdn.com/spatdsg/archive/2005/05/20/420624.aspx
C:\>sc sdshow scmanager This is SP1 info D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA ;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) This is the RTM info: D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OII OFA;GA;;;WD) You can now set security via "SC.EXE sdset scmanager <SDDL>" steve ----- Original Message ----- From: "TIROA YANN" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org>; <ActiveDir@mail.activedir.org> Sent: Sunday, June 12, 2005 9:32 AM Subject: RE : [ActiveDir] User privilege on Server. I will check your blog and SvcUtil right now :) Thanks for all your feedback and your work. Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de joe Date: dim. 12/06/2005 18:19 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] User privilege on Server. I have updated SvcUtil to work within these new confines. If you know the service name, you can control it and view its status remotely with SvcUtil now. Also I determined that the version of SC that comes with SP1 will also do this. I am not sure if you can copy that file to non-SP1 machines in terms of licensing but I will say that theoretically you can do this and it will work. I put out a little blog entry on this http://blog.joeware.net/2005/06/12/36/ If you have any tools that you used to previously use to do this stopping/starting/monitoring of services remotely from non-admin accounts that no longer work, contact the vendor and let them know they need to correct the issue and that the correction is not to make the userid an Admin. I am going to look at putting something together to modify that ACL, no promises on time frame. It could be this afternoon or it could three months from now depending on what I feel like doing and how hard it will be to impl ement something to do this. joe ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Sunday, June 12, 2005 8:46 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] User privilege on Server. Joe, that exactly what i am experiencing since i installed windows 2003 sp1 (did I mention my OS version and Sp ? oupss... sorry :)). I was exciting about new security enhancements of sp1. BUT I've lost functionnality i've configured such as starts remotly services but a nonadmin user... :( Since I understand that MS hardened their OS, I am a bit despited that it did without alert us that sp1 will change this or these previous conf i've made before. We can imagine such a process of installing sp1. The sp1 install wizard will check the actual conf. and compare to the "after aplying sp1". The wizard will then generate a delta summary telling us what sp1 will change and where in the registry. But, That's me.. Thank U y much for your feedback "I am looking into writing a tool to be able to modify this ACL" -> and plesae let us know when your tool will be available, I think this will be very helpfull :o) Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de joe Date: dim. 12/06/2005 02:14 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] User privilege on Server. FTP is an IIS component, it uses a local logon so requires local logon rights. This is something that has always irked me about IIS. As for stopping/starting services. If you have granted the proper ACL to the service either via subinacl or gpo a normal user CAN restart services remotely with SC or SVCUTIL or other tools that properly implement the SCM commands. Now there is a possible exeption here. With Windows Server 2003 SP1 Microsoft was sneaky and changed the SCM ACL so that it can be manipulated like the normal service ACLs. Previously this wasn't possible. Not only did they do that, but they locked down the enumeration permissions for services remotely to administrators, though locally a normal user can enumerate. Unfortunately they, to my knowledge, didn't give a tool that I can find to undo this or at least open it up a little and hence a lot of people who implemented basic service monitoring with normal IDs (LUA principal) are now all breaking and simple delegation of service stop/start remotely is broken for a lot of people. I am looking into writing a tool to be able to modify this ACL, I was hoping that MS would announce something though. If you are working with 2K3 SP1, this could be your issue. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] User privilege on Server. Hi joe ;) Endeed my question was rather starting/stopping a services with a command line. I want a user with non admin privilege to do a net start "service name" remotly from his workstation by a command line. By default, i authorized only Local Admin Group on my server to logon locally. With this configuration, the user could not start remotly the service with his credentials and the following error appeared "AccesDenied" :( . BUT, when i give the user the privilege to log on locally, the user can start the service !!?? The same error appears with my FTP server when users try to connect via ftp.. and for this server, I give logon locally right to "authenticatde users" (tjis only for intranet acces and public access) Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de joe Date: sam. 11/06/2005 18:44 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] User privilege on Server. > launch a command What specifically do you mean by this? Do you mean launch a console based command or something that runs locally on the server? If so, what for? This could easily be a security risk. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 11, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User privilege on Server. Hi :) I'd like to give to a non-admin-user the right to start a service, launch a command, etc.. on my file server without giving him privilege admin (admin,serverop, backupop right) on my file server nor using the runas command. Is this possible ? Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
