Did you also drop down the auditing on the service also? ( Get latest version of Subinacl.exe)
Note: you can use the subinacl.exe /help /full to get the information
shown below.
I believe subinacl.exe /verbose /service Service_name
/sgrant=domain\name=
Service: ( for the audit)
F : Full Control
Press Return To Continue ----
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
( These are the controls for the Service for the /grant command you are
going to need probably RXLQSETO to get the start and stop to work)
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
Edward E. Ziots
CISSP, Network +, Security +
Security Engineer
Lifespan Organization
Email:[email protected]
Cell:401-639-3505
From: Rankin, James R [mailto:[email protected]]
Sent: Monday, June 13, 2011 3:41 AM
To: NT System Admin Issues
Subject: Re: Giving users rights to restart a given service
If you can't get subinacl to work, you could try something like wrapping
a net start/stop or netsvc command up with elevated rights using CPAU
Typed frustratingly slowly on my BlackBerry(r) wireless device
________________________________
From: Oliver Marshall <[email protected]>
Date: Mon, 13 Jun 2011 08:08:58 +0100
To: NT System Admin Issues<[email protected]>
ReplyTo: "NT System Admin Issues"
<[email protected]>
Subject: Giving users rights to restart a given service
Hi,
I'm trying to give a number of users the ability to restart a service on
one of our servers. The service is for a bespoke voice recognition
service that handles a particular part of our dictation and needs a poke
every now and again.
I've assigned rights using SUBINACL using;
subinacl /service service1 /grant=domain1\user1 = TO
However whenever user1 tries to restart the service from the command
line using a batch file that basically contains a few SC commands, they
get access denied.
Any ideas why? From what I can see the SUBINACL command above assigns
that user Stop and Start rights to that service and should do the trick.
Thanks
Olly
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin<<image002.jpg>>
