Daniel Cheng skrev: > On Sat, Jan 3, 2009 at 1:37 AM, Zero3 <zero3 at zerosplayground.dk> wrote: > >> Daniel Cheng skrev: >> >>>>> sc.exe , which is included scince windows 2000 can set the permission. >>>>> use `sc sdset` >>>>> http://technet.microsoft.com/en-us/library/bb490995.aspx >>>>> http://msdn.microsoft.com/en-au/library/aa379570(VS.85).asp >>>>> >>>>> >>>>> >>>> Nicey. Any command line example? Those docs seems all gibberish to me. >>>> >>>> >>> Let's see the windows automatic update serivce: >>> >>> --------- >>> C:\>sc sdshow wuauserv >>> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) >>> (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) >>> (A;;CCLCSWLOCRRC;;;AU) >>> (A;;CCLCSWRPWPDTLOCRRC;;;PU) >>> --------- >>> each (..) is a permission, fields seprated by ";" >>> >>> "A" - Access Allowed >>> ; >>> (inhertance, not for service) >>> ; >>> "GA" SDDL_GENERIC_ALL GENERIC_ALL >>> "GR" SDDL_GENERIC_READ GENERIC_READ >>> "GW" SDDL_GENERIC_WRITE GENERIC_WRITE >>> "GX" SDDL_GENERIC_EXECUTE GENERIC_EXECUTE >>> "RC" SDDL_READ_CONTROL READ_CONTROL >>> "SD" SDDL_STANDARD_DELETE DELETE >>> "WD" SDDL_WRITE_DAC WRITE_DAC >>> "WO" SDDL_WRITE_OWNER WRITE_OWNER >>> "RP" SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP >>> "WP" SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP >>> "CC" SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD >>> "DC" SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD >>> "LC" SDDL_LIST_CHILDREN ADS_RIGHT_ACTRL_DS_LIST >>> "SW" SDDL_SELF_WRITE ADS_RIGHT_DS_SELF >>> "LO" SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT >>> "DT" SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE >>> "CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS >>> "FA" SDDL_FILE_ALL FILE_ALL_ACCESS >>> "FR" SDDL_FILE_READ FILE_GENERIC_READ >>> "FW" SDDL_FILE_WRITE FILE_GENERIC_WRITE >>> "FX" SDDL_FILE_EXECUTE FILE_GENERIC_EXECUTE >>> "KA" SDDL_KEY_ALL KEY_ALL_ACCESS >>> "KR" SDDL_KEY_READ KEY_READ >>> "KW" SDDL_KEY_WRITE KEY_WRITE >>> "KX" SDDL_KEY_EXECUTE KEY_EXECUTE >>> ; >>> SY = System >>> BA = Administrator >>> AU = Authenicated User >>> PU = Power User >>> >>> e.g. (A;;CCLCSWRPWPDTLOCRRC;;;PU) >>> means Power User allow create/list child, self write, read/write >>> property, delete,, list object, control access and read control.. >>> >>> >>> if you don't understand this string... just copy the string from what >>> ever service you have set up already. >>> >>> >> Looks pretty straight-forward. But what access do we want to give out? >> This one?: >> >> "CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS >> > > Oops. I have included the wrong table. (that one was for the active > directory control) > You should use this one instead: > > CC - SERVICE_QUERY_CONFIG > LC - SERVICE_QUERY_STATUS > SW - SERVICE_ENUMERATE_DEPENDENTS > RP - SERVICE_START > WP - SERVICE_STOP > DT - SERVICE_PAUSE_CONTINUE > LO - SERVICE_INTERROGATE > CR - SERVICE_USER_DEFINED_CONTROL > RC - READ_CONTROL >
Ahhhhhhhhhhhhhhh - that makes more sense! ;) Cheers. - Zero3
