Remotely Manage Windows Service

Discussion in 'Windows Server' started by john d, Jul 11, 2006.

  1. john d

    john d Guest

    I need to allow a user to remotely start and stop a single designated service
    on a 2003 server machine without making them a local administrator.

    I attempted to use a security template on the server to specify permissions
    for this user for the desired service as per KB 325349,
    http://support.microsoft.com/kb/325349/en-us. However, the user still cannot
    start or stop the service using both the MMC or the netsvc utility. When
    using MMC, the error is "Unable to open service control manager database on
    \\server Error 5: Access is denied." When using the netsvc command, the
    error is also "Access is denied."

    Please note that if I make the user a local administrator, they can access
    all services via the MMC for the server, but the netsvc command still says
    "Access is Denied". On the other hand, if I log in as one of the domain
    admin accounts, which is also a member of the local administrator group, and
    run the netsvc command, I can successfully start and stop the service.

    At this point I am stuck and either need to resolve one of the existing
    issues with MMC or NETSVC or come up with an alternate solution.
     
    john d, Jul 11, 2006
    #1
    1. Advertisements

  2. It's been a while since I've played with granting non-admins privilages to
    services however as memory serves they arent going to be able to do it with
    the MMC since they only get privilages over the service (not the database).

    Some things to check/try:
    * Make sure you've applied the policy with the "Configure Computer Now"
    command (otherwise it will get defined in the database but never applied to
    the computer).
    * I'd also try starting/stopping the service using the "SC" command to see
    if it also gets access denied.

    Good luck,
    Erik
    --
    MCSE:Messaging 2003, MVP

    This post is provided "AS IS" and without warranty, expressed or implied. In
    no event shall I be liable for any damages resulting from the application of
    the posted content
     
    Erik Szewczyk [MVP], Jul 11, 2006
    #2
    1. Advertisements

  3. john d

    john d Guest

    Not much luck with the SC command and I can't seem to find much of any
    resources regarding this issue on the web. The sc results are below and I
    have replaced the server and service names.

    C:\sc start \\server w3svc
    [SC] StartService: OpenService FAILED 123:

    The filename, directory name, or volume label syntax is incorrect.


    C:\sc \\server query
    [SC] OpenSCManager FAILED 5:

    Access is denied.


    C:\sc \\server getkeyname servicename
    [SC] OpenSCManager FAILED 5:

    Access is denied.


    Any ideas? If not to resolve this, perhaps another method for allowing a
    remote user to start/stop a service without being an administrator.
     
    john d, Jul 11, 2006
    #3
  4. Your first command should have been:
    sc \\server start w3svc
    (hence the syntax error)

    I'd try labbing this to make sure it's not an issue with your deployment.
    I'd also use a service without the complex dependancies for testing.

    Good luck,
    Erik
    --
    MCSE:Messaging 2003, MVP

    This post is provided "AS IS" and without warranty, expressed or implied. In
    no event shall I be liable for any damages resulting from the application of
    the posted content


     
    Erik Szewczyk [MVP], Jul 11, 2006
    #4
  5. john d

    john d Guest

    I've tried multiple other services using the correct syntax indicated, but no
    luck. Any other way to do this, perhaps a batch file?

     
    john d, Jul 11, 2006
    #5
  6. john d

    Ross Guest

    Hi John

    The way that Microsoft would recommend you do this is by using the Security
    Templates snap-in for MMC. If you load the snap-in and navigate to System
    Services, you will see that after you 'Define this policy setting in this
    template' you can then set security on any Service that you like.

    Services have ACLs just like other resources on your server. Obviously, it's
    now just a case of adding your user to the ACL on the Service and then saving
    the policy.

    Now apply the policy using the Security Configuration and Analysis MMC
    snap-in.

    I haven't gone into the finer detail here of click this, then that, but I'm
    sure you'll work it out from these pointers.

    Let us know how you get on.

    Kind Regards

    Ross



     
    Ross, Jul 12, 2006
    #6
  7. john d

    Ross Guest

    Oh what an arse I am - you already said you read an MS article that told you
    how to do that.

    Can the user map to the IPC$ share using their credentials?

    In local security settings, under user rights assignment, can the user
    access this computer from across the network and log on locally?

    If you look at the registry hive HKLM\System\Current Control Set\Services
    does the user have permissions to read?

    Sorry about the crappy post earlier. Last suggestion would be to enable
    auditing on the server and look in the security event log after you get an
    access denied - this should at least tell you the why's and wherefors...

     
    Ross, Jul 12, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.