NTFS/registry permissions for a service-specific SID

Hello:

Possible to assign NTFS/registry permissions to a service-specific SID other
than running that service as a user account or as Local System? I know that
that SID is assigned dynamically at start-up, and that there is a 1:1
mapping from service name to that SID, but it appears you can just assign
NTFS/registry permissions to the service name.

I've seen
http://www.microsoft.com/technet/win...cfeat.mspx#EHF
and the PPT slides from the PDC conference, but no mention of how to change
permissions with SC.EXE for a service (to change user rights, yes, but not
perms).

Thank You!

CORRECTION:

> but it appears you can just assign...

but it appears you cannot just assign...

I am not exactly sure what you are saying here. Services run under the
service context of either a user ID or a well known security principal
such as LocalSystem, LocalService, or Network Service. There is not a
SID assigned to individual service applications.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Sharon2323 wrote:
> Hello:
>
> Possible to assign NTFS/registry permissions to a service-specific SID other
> than running that service as a user account or as Local System? I know that
> that SID is assigned dynamically at start-up, and that there is a 1:1
> mapping from service name to that SID, but it appears you can just assign
> NTFS/registry permissions to the service name.
>
> I've seen
> http://www.microsoft.com/technet/win...cfeat.mspx#EHF
> and the PPT slides from the PDC conference, but no mention of how to change
> permissions with SC.EXE for a service (to change user rights, yes, but not
> perms).
>
> Thank You!
>
>
>
>
>
>

Ah hold on, I didn't realize I had clicked on the vista group, I was
shooting for win2000.security which is just above this one in my current
config of Thunderbird. I did hear rumours about this for Vista but I
haven't seen any real documentation and haven't debugged it to check
what was actually done.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Joe Richards [MVP] wrote:
> I am not exactly sure what you are saying here. Services run under the
> service context of either a user ID or a well known security principal
> such as LocalSystem, LocalService, or Network Service. There is not a
> SID assigned to individual service applications.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> Sharon2323 wrote:
>> Hello:
>>
>> Possible to assign NTFS/registry permissions to a service-specific SID
>> other
>> than running that service as a user account or as Local System? I
>> know that
>> that SID is assigned dynamically at start-up, and that there is a 1:1
>> mapping from service name to that SID, but it appears you can just assign
>> NTFS/registry permissions to the service name.
>>
>> I've seen
>> http://www.microsoft.com/technet/win...cfeat.mspx#EHF
>>
>> and the PPT slides from the PDC conference, but no mention of how to
>> change
>> permissions with SC.EXE for a service (to change user rights, yes, but
>> not
>> perms).
>>
>> Thank You!
>>
>>
>>
>>
>>
>>