Windows 2008 Server Security

I've joined Windows 2008 Server to Windows 2003 domain and installed a
Windows Service, that logons on as a domain account in Domain Administrators
group.

On Windows 2003 Servers, all works fine.
On the 2008 Server, the service cannot contact the Eventlog, cannot open
keys in the registry ... nothing is allowed.

If I log into the 2008 Server as that domain account, and I can access
Registy / Event log, it works. Why does it fail for the account when used
by the Windows Service ?


Thanks, Brian

Hello Brian,

Even a domain admin on 2008 machines is restricted, that belong's to UAC.
I asume that will be the reason when running as a service, that some permissions
are needed, one i can think of is "Logon as a batch job".

Additional it can belong to UAC(disabling is the badest option in my opinion)
GPO setting:
Computer Configuration, Windows Settings Security Settings, Local Policies,
Security Options, in the right pane you will find some UAC options.

Check:
- User Account Control: Behavior of the elevation prompt for administrators
- User Account Control: Detect application installations and prompt for elevation
- User Account Control: Run all administrators in Admin Approval Mode


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've joined Windows 2008 Server to Windows 2003 domain and installed a
> Windows Service, that logons on as a domain account in Domain
> Administrators group.
>
> On Windows 2003 Servers, all works fine.
> On the 2008 Server, the service cannot contact the Eventlog, cannot
> open
> keys in the registry ... nothing is allowed.
> If I log into the 2008 Server as that domain account, and I can access
> Registy / Event log, it works. Why does it fail for the account when
> used by the Windows Service ?
>
> Thanks, Brian
>

Hi,

The Domain Server is Windows 2003. When I run the Group Policy editor, there
are no UAC settings visible ?

I run Group Policy Editor on the Windows 2008 member sever. I have tried all
the settings you indicated, and have run gpupdate also, but the problem
persists.

Is there anything else I could try ?


thanks, B




"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news: .com...
> Hello Brian,
>
> Even a domain admin on 2008 machines is restricted, that belong's to UAC.
> I asume that will be the reason when running as a service, that some
> permissions are needed, one i can think of is "Logon as a batch job".
>
> Additional it can belong to UAC(disabling is the badest option in my
> opinion) GPO setting:
> Computer Configuration, Windows Settings Security Settings, Local
> Policies, Security Options, in the right pane you will find some UAC
> options.
>
> Check:
> - User Account Control: Behavior of the elevation prompt for
> administrators
> - User Account Control: Detect application installations and prompt for
> elevation
> - User Account Control: Run all administrators in Admin Approval Mode
>
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I've joined Windows 2008 Server to Windows 2003 domain and installed a
>> Windows Service, that logons on as a domain account in Domain
>> Administrators group.
>>
>> On Windows 2003 Servers, all works fine.
>> On the 2008 Server, the service cannot contact the Eventlog, cannot
>> open
>> keys in the registry ... nothing is allowed.
>> If I log into the 2008 Server as that domain account, and I can access
>> Registy / Event log, it works. Why does it fail for the account when
>> used by the Windows Service ?
>>
>> Thanks, Brian
>>
>
>

I disabled UAC and the application is now working.


Thanks, for you help, Brian


"Brian Stoop" <> wrote in message
news:...
> Hi,
>
> The Domain Server is Windows 2003. When I run the Group Policy editor,
> there are no UAC settings visible ?
>
> I run Group Policy Editor on the Windows 2008 member sever. I have tried
> all the settings you indicated, and have run gpupdate also, but the
> problem persists.
>
> Is there anything else I could try ?
>
>
> thanks, B
>
>
>
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news: .com...
>> Hello Brian,
>>
>> Even a domain admin on 2008 machines is restricted, that belong's to UAC.
>> I asume that will be the reason when running as a service, that some
>> permissions are needed, one i can think of is "Logon as a batch job".
>>
>> Additional it can belong to UAC(disabling is the badest option in my
>> opinion) GPO setting:
>> Computer Configuration, Windows Settings Security Settings, Local
>> Policies, Security Options, in the right pane you will find some UAC
>> options.
>>
>> Check:
>> - User Account Control: Behavior of the elevation prompt for
>> administrators
>> - User Account Control: Detect application installations and prompt for
>> elevation
>> - User Account Control: Run all administrators in Admin Approval Mode
>>
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> I've joined Windows 2008 Server to Windows 2003 domain and installed a
>>> Windows Service, that logons on as a domain account in Domain
>>> Administrators group.
>>>
>>> On Windows 2003 Servers, all works fine.
>>> On the 2008 Server, the service cannot contact the Eventlog, cannot
>>> open
>>> keys in the registry ... nothing is allowed.
>>> If I log into the 2008 Server as that domain account, and I can access
>>> Registy / Event log, it works. Why does it fail for the account when
>>> used by the Windows Service ?
>>>
>>> Thanks, Brian
>>>
>>
>>
>
>

Hello Brian,

Policies for 2008/vista you have to configire from 2008/Vista with RSAT installed.
So install RSAT from the server manager, features and create with that a
GPO in the domain for your needs.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> The Domain Server is Windows 2003. When I run the Group Policy editor,
> there are no UAC settings visible ?
>
> I run Group Policy Editor on the Windows 2008 member sever. I have
> tried all the settings you indicated, and have run gpupdate also, but
> the problem persists.
>
> Is there anything else I could try ?
>
> thanks, B
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news: .com...
>
>> Hello Brian,
>>
>> Even a domain admin on 2008 machines is restricted, that belong's to
>> UAC. I asume that will be the reason when running as a service, that
>> some permissions are needed, one i can think of is "Logon as a batch
>> job".
>>
>> Additional it can belong to UAC(disabling is the badest option in my
>> opinion) GPO setting:
>> Computer Configuration, Windows Settings Security Settings, Local
>> Policies, Security Options, in the right pane you will find some UAC
>> options.
>> Check:
>> - User Account Control: Behavior of the elevation prompt for
>> administrators
>> - User Account Control: Detect application installations and prompt
>> for
>> elevation
>> - User Account Control: Run all administrators in Admin Approval Mode
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've joined Windows 2008 Server to Windows 2003 domain and installed
>>> a Windows Service, that logons on as a domain account in Domain
>>> Administrators group.
>>>
>>> On Windows 2003 Servers, all works fine.
>>> On the 2008 Server, the service cannot contact the Eventlog, cannot
>>> open
>>> keys in the registry ... nothing is allowed.
>>> If I log into the 2008 Server as that domain account, and I can
>>> access
>>> Registy / Event log, it works. Why does it fail for the account
>>> when
>>> used by the Windows Service ?
>>> Thanks, Brian
>>>

Thanks again, I'll try that and I'll report back.

Regards, Brian

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news: .com...
> Hello Brian,
>
> Policies for 2008/vista you have to configire from 2008/Vista with RSAT
> installed. So install RSAT from the server manager, features and create
> with that a GPO in the domain for your needs.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi,
>>
>> The Domain Server is Windows 2003. When I run the Group Policy editor,
>> there are no UAC settings visible ?
>>
>> I run Group Policy Editor on the Windows 2008 member sever. I have
>> tried all the settings you indicated, and have run gpupdate also, but
>> the problem persists.
>>
>> Is there anything else I could try ?
>>
>> thanks, B
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news: .com...
>>
>>> Hello Brian,
>>>
>>> Even a domain admin on 2008 machines is restricted, that belong's to
>>> UAC. I asume that will be the reason when running as a service, that
>>> some permissions are needed, one i can think of is "Logon as a batch
>>> job".
>>>
>>> Additional it can belong to UAC(disabling is the badest option in my
>>> opinion) GPO setting:
>>> Computer Configuration, Windows Settings Security Settings, Local
>>> Policies, Security Options, in the right pane you will find some UAC
>>> options.
>>> Check:
>>> - User Account Control: Behavior of the elevation prompt for
>>> administrators
>>> - User Account Control: Detect application installations and prompt
>>> for
>>> elevation
>>> - User Account Control: Run all administrators in Admin Approval Mode
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> I've joined Windows 2008 Server to Windows 2003 domain and installed
>>>> a Windows Service, that logons on as a domain account in Domain
>>>> Administrators group.
>>>>
>>>> On Windows 2003 Servers, all works fine.
>>>> On the 2008 Server, the service cannot contact the Eventlog, cannot
>>>> open
>>>> keys in the registry ... nothing is allowed.
>>>> If I log into the 2008 Server as that domain account, and I can
>>>> access
>>>> Registy / Event log, it works. Why does it fail for the account
>>>> when
>>>> used by the Windows Service ?
>>>> Thanks, Brian
>>>>
>
>